ajout config sshd
|
1 |
Include /etc/ssh/sshd_config.d/*.conf |
2 |
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ |
|
3 | ||
4 |
# This is the sshd server system-wide configuration file. See |
|
5 |
# sshd_config(5) for more information. |
|
6 | ||
7 |
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
|
8 | ||
9 |
# The strategy used for options in the default sshd_config shipped with |
|
10 |
# OpenSSH is to specify options with their default value where |
|
11 |
# possible, but leave them commented. Uncommented options override the |
|
12 |
# default value. |
|
13 | ||
14 |
#Port 22 |
|
15 |
#AddressFamily any |
|
16 |
#ListenAddress 192.168.1.53 |
|
17 |
#ListenAddress :: |
|
18 | ||
19 |
#HostKey /etc/ssh/ssh_host_rsa_key |
|
20 |
#HostKey /etc/ssh/ssh_host_ecdsa_key |
|
21 |
#HostKey /etc/ssh/ssh_host_ed25519_key |
|
22 | ||
23 |
# Ciphers and keying |
|
24 |
#RekeyLimit default none |
|
25 | ||
26 |
# Logging |
|
27 |
#SyslogFacility AUTH |
|
28 |
#LogLevel INFO |
|
29 | ||
30 |
# Authentication: |
|
31 | ||
32 |
#LoginGraceTime 2m |
|
33 |
PermitRootLogin no |
|
34 |
#DenyUsers dans /etc/ssh/sshd_config.d/DenyAllow.conf |
|
35 |
#AllowUsers dans /etc/ssh/sshd_config.d/DenyAllow.conf |
|
36 |
StrictModes yes |
|
37 |
#MaxAuthTries 6 |
|
38 |
#MaxSessions 10 |
|
39 | ||
40 |
PubkeyAuthentication yes |
|
41 | ||
42 |
# Expect .ssh/authorized_keys2 to be disregarded by default in future. |
|
43 |
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 |
|
44 | ||
45 |
#AuthorizedPrincipalsFile none |
|
46 | ||
47 |
#AuthorizedKeysCommand none |
|
48 |
#AuthorizedKeysCommandUser nobody |
|
49 | ||
50 |
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
|
51 |
#HostbasedAuthentication no |
|
52 |
# Change to yes if you don't trust ~/.ssh/known_hosts for |
|
53 |
# HostbasedAuthentication |
|
54 |
#IgnoreUserKnownHosts no |
|
55 |
# Don't read the user's ~/.rhosts and ~/.shosts files |
|
56 |
IgnoreRhosts yes |
|
57 | ||
58 |
# To disable tunneled clear text passwords, change to no here! |
|
59 |
PasswordAuthentication no |
|
60 |
PermitEmptyPasswords no |
|
61 | ||
62 |
# Change to yes to enable challenge-response passwords (beware issues with |
|
63 |
# some PAM modules and threads) |
|
64 |
ChallengeResponseAuthentication no |
|
65 | ||
66 |
# Kerberos options |
|
67 |
#KerberosAuthentication no |
|
68 |
#KerberosOrLocalPasswd yes |
|
69 |
#KerberosTicketCleanup yes |
|
70 |
#KerberosGetAFSToken no |
|
71 | ||
72 |
# GSSAPI options |
|
73 |
#GSSAPIAuthentication no |
|
74 |
#GSSAPICleanupCredentials yes |
|
75 |
#GSSAPIStrictAcceptorCheck yes |
|
76 |
#GSSAPIKeyExchange no |
|
77 | ||
78 |
# Set this to 'yes' to enable PAM authentication, account processing, |
|
79 |
# and session processing. If this is enabled, PAM authentication will |
|
80 |
# be allowed through the ChallengeResponseAuthentication and |
|
81 |
# PasswordAuthentication. Depending on your PAM configuration, |
|
82 |
# PAM authentication via ChallengeResponseAuthentication may bypass |
|
83 |
# the setting of "PermitRootLogin without-password". |
|
84 |
# If you just want the PAM account and session checks to run without |
|
85 |
# PAM authentication, then enable this but set PasswordAuthentication |
|
86 |
# and ChallengeResponseAuthentication to 'no'. |
|
87 |
UsePAM yes |
|
88 | ||
89 |
#AllowAgentForwarding yes |
|
90 |
#AllowTcpForwarding yes |
|
91 |
#GatewayPorts no |
|
92 |
X11Forwarding yes |
|
93 |
#X11DisplayOffset 10 |
|
94 |
#X11UseLocalhost yes |
|
95 |
#PermitTTY yes |
|
96 |
PrintMotd no |
|
97 |
#PrintLastLog yes |
|
98 |
#TCPKeepAlive yes |
|
99 |
#PermitUserEnvironment no |
|
100 |
#Compression delayed |
|
101 |
#ClientAliveInterval 0 |
|
102 |
#ClientAliveCountMax 3 |
|
103 |
#UseDNS no |
|
104 |
#PidFile /var/run/sshd.pid |
|
105 |
#MaxStartups 10:30:100 |
|
106 |
#PermitTunnel no |
|
107 |
#ChrootDirectory none |
|
108 |
#VersionAddendum none |
|
109 | ||
110 |
# no default banner path |
|
111 |
#Banner none |
|
112 | ||
113 |
# Allow client to pass locale environment variables |
|
114 |
AcceptEnv LANG LC_* |
|
115 | ||
116 |
# override default of no subsystems |
|
117 |
Subsystem sftp /usr/lib/openssh/sftp-server |
|
118 | ||
119 |
# Example of overriding settings on a per-user basis |
|
120 |
#Match User anoncvs |
|
121 |
# X11Forwarding no |
|
122 |
# AllowTcpForwarding no |
|
123 |
# PermitTTY no |
|
124 |
# ForceCommand cvs server |