Side by Side Diff: modules/ssh/templates/sshd_config.erb
Issue 9317099:
Various SSH configuration improvements (Closed)
Patch Set:
Created Feb. 6, 2013, 8:24 a.m.
| Left: | ||
| Right: |
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« modules/private-stub/manifests/users.pp ('k')
|
no next file »
|
no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| OLD | NEW |
|---|---|
| 1 # Package generated configuration file | 1 # Package generated configuration file |
| 2 # See the sshd_config(5) manpage for details | 2 # See the sshd_config(5) manpage for details |
| 3 | 3 |
| 4 # What ports, IPs and protocols we listen for | 4 # What ports, IPs and protocols we listen for |
| 5 Port 22 | 5 Port 22 |
| 6 # Use these options to restrict which interfaces/protocols sshd will bind to | 6 # Use these options to restrict which interfaces/protocols sshd will bind to |
| 7 #ListenAddress :: | 7 #ListenAddress :: |
| 8 #ListenAddress 0.0.0.0 | 8 #ListenAddress 0.0.0.0 |
| 9 Protocol 2 | 9 Protocol 2 |
| 10 # HostKeys for protocol version 2 | 10 # HostKeys for protocol version 2 |
| 11 HostKey /etc/ssh/ssh_host_rsa_key | 11 HostKey /etc/ssh/ssh_host_rsa_key |
| 12 HostKey /etc/ssh/ssh_host_dsa_key | 12 HostKey /etc/ssh/ssh_host_dsa_key |
| 13 HostKey /etc/ssh/ssh_host_ecdsa_key | 13 HostKey /etc/ssh/ssh_host_ecdsa_key |
| 14 #Privilege Separation is turned on for security | 14 #Privilege Separation is turned on for security |
| 15 UsePrivilegeSeparation yes | 15 UsePrivilegeSeparation yes |
| 16 | 16 |
| 17 # Lifetime and size of ephemeral version 1 server key | 17 # Lifetime and size of ephemeral version 1 server key |
| 18 KeyRegenerationInterval 3600 | 18 KeyRegenerationInterval 3600 |
| 19 ServerKeyBits 768 | 19 ServerKeyBits 768 |
| 20 | 20 |
| 21 # Logging | 21 # Logging |
| 22 SyslogFacility AUTH | 22 SyslogFacility AUTH |
| 23 LogLevel INFO | 23 LogLevel INFO |
| 24 | 24 |
| 25 # Authentication: | 25 # Authentication: |
| 26 LoginGraceTime 120 | 26 LoginGraceTime 120 |
| 27 PermitRootLogin yes | 27 PermitRootLogin no |
| 28 StrictModes yes | 28 StrictModes yes |
| 29 | 29 |
| 30 RSAAuthentication yes | 30 RSAAuthentication yes |
| 31 PubkeyAuthentication yes | 31 PubkeyAuthentication yes |
| 32 #AuthorizedKeysFile %h/.ssh/authorized_keys | 32 #AuthorizedKeysFile %h/.ssh/authorized_keys |
| 33 | 33 |
| 34 # Don't read the user's ~/.rhosts and ~/.shosts files | 34 # Don't read the user's ~/.rhosts and ~/.shosts files |
| 35 IgnoreRhosts yes | 35 IgnoreRhosts yes |
| 36 # For this to work you will also need host keys in /etc/ssh_known_hosts | 36 # For this to work you will also need host keys in /etc/ssh_known_hosts |
| 37 RhostsRSAAuthentication no | 37 RhostsRSAAuthentication no |
| 38 # similar for protocol version 2 | 38 # similar for protocol version 2 |
| 39 HostbasedAuthentication no | 39 HostbasedAuthentication no |
| 40 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | 40 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication |
| 41 #IgnoreUserKnownHosts yes | 41 #IgnoreUserKnownHosts yes |
| 42 | 42 |
| 43 # To enable empty passwords, change to yes (NOT RECOMMENDED) | 43 # To enable empty passwords, change to yes (NOT RECOMMENDED) |
| 44 PermitEmptyPasswords no | 44 PermitEmptyPasswords no |
| 45 | 45 |
| 46 # Change to yes to enable challenge-response passwords (beware issues with | 46 # Change to yes to enable challenge-response passwords (beware issues with |
| 47 # some PAM modules and threads) | 47 # some PAM modules and threads) |
| 48 ChallengeResponseAuthentication no | 48 ChallengeResponseAuthentication no |
| 49 | 49 |
| 50 # Change to no to disable tunnelled clear text passwords | 50 # Change to no to disable tunnelled clear text passwords |
| 51 #PasswordAuthentication yes | 51 PasswordAuthentication no |
| 52 | 52 |
| 53 # Kerberos options | 53 # Kerberos options |
| 54 #KerberosAuthentication no | 54 #KerberosAuthentication no |
| 55 #KerberosGetAFSToken no | 55 #KerberosGetAFSToken no |
| 56 #KerberosOrLocalPasswd yes | 56 #KerberosOrLocalPasswd yes |
| 57 #KerberosTicketCleanup yes | 57 #KerberosTicketCleanup yes |
| 58 | 58 |
| 59 # GSSAPI options | 59 # GSSAPI options |
| 60 #GSSAPIAuthentication no | 60 #GSSAPIAuthentication no |
| 61 #GSSAPICleanupCredentials yes | 61 #GSSAPICleanupCredentials yes |
| 62 | 62 |
| 63 X11Forwarding yes | 63 AllowAgentForwarding no |
| 64 AllowTcpForwarding no | |
| 65 X11Forwarding no | |
| 64 X11DisplayOffset 10 | 66 X11DisplayOffset 10 |
| 65 PrintMotd no | 67 PrintMotd no |
| 66 PrintLastLog yes | 68 PrintLastLog yes |
| 67 TCPKeepAlive yes | 69 TCPKeepAlive yes |
| 70 PermitUserEnvironment yes | |
| 68 #UseLogin no | 71 #UseLogin no |
| 69 | 72 |
| 70 #MaxStartups 10:30:60 | 73 #MaxStartups 10:30:60 |
| 71 #Banner /etc/issue.net | 74 #Banner /etc/issue.net |
| 72 | 75 |
| 73 # Allow client to pass locale environment variables | 76 # Allow client to pass locale environment variables |
| 74 AcceptEnv LANG LC_* | 77 AcceptEnv LANG LC_* |
| 75 | 78 |
| 76 Subsystem sftp /usr/lib/openssh/sftp-server | 79 Subsystem sftp /usr/lib/openssh/sftp-server |
| 77 | 80 |
| 78 # Set this to 'yes' to enable PAM authentication, account processing, | 81 # Set this to 'yes' to enable PAM authentication, account processing, |
| 79 # and session processing. If this is enabled, PAM authentication will | 82 # and session processing. If this is enabled, PAM authentication will |
| 80 # be allowed through the ChallengeResponseAuthentication and | 83 # be allowed through the ChallengeResponseAuthentication and |
| 81 # PasswordAuthentication. Depending on your PAM configuration, | 84 # PasswordAuthentication. Depending on your PAM configuration, |
| 82 # PAM authentication via ChallengeResponseAuthentication may bypass | 85 # PAM authentication via ChallengeResponseAuthentication may bypass |
| 83 # the setting of "PermitRootLogin without-password". | 86 # the setting of "PermitRootLogin without-password". |
| 84 # If you just want the PAM account and session checks to run without | 87 # If you just want the PAM account and session checks to run without |
| 85 # PAM authentication, then enable this but set PasswordAuthentication | 88 # PAM authentication, then enable this but set PasswordAuthentication |
| 86 # and ChallengeResponseAuthentication to 'no'. | 89 # and ChallengeResponseAuthentication to 'no'. |
| 87 UsePAM yes | 90 UsePAM yes |
| 88 | 91 |
| 89 <%= custom_configuration %> | 92 <%= custom_configuration %> |
| OLD | NEW |
« no previous file with comments
|
« modules/private-stub/manifests/users.pp ('k')
|
no next file »
|
no next file with comments »
