generalconfig / etc / ssh / sshd_config /
Newer Older
124 lines | 3.38kb
ajout config sshd
Sébastien authored on 2023-04-24
1
Include /etc/ssh/sshd_config.d/*.conf
2
#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
3

            
4
# This is the sshd server system-wide configuration file.  See
5
# sshd_config(5) for more information.
6

            
7
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8

            
9
# The strategy used for options in the default sshd_config shipped with
10
# OpenSSH is to specify options with their default value where
11
# possible, but leave them commented.  Uncommented options override the
12
# default value.
13

            
14
#Port 22
15
#AddressFamily any
16
#ListenAddress 192.168.1.53
17
#ListenAddress ::
18

            
19
#HostKey /etc/ssh/ssh_host_rsa_key
20
#HostKey /etc/ssh/ssh_host_ecdsa_key
21
#HostKey /etc/ssh/ssh_host_ed25519_key
22

            
23
# Ciphers and keying
24
#RekeyLimit default none
25

            
26
# Logging
27
#SyslogFacility AUTH
28
#LogLevel INFO
29

            
30
# Authentication:
31

            
32
#LoginGraceTime 2m
33
PermitRootLogin no
34
#DenyUsers dans /etc/ssh/sshd_config.d/DenyAllow.conf
35
#AllowUsers dans /etc/ssh/sshd_config.d/DenyAllow.conf
36
StrictModes yes
37
#MaxAuthTries 6
38
#MaxSessions 10
39

            
40
PubkeyAuthentication yes
41

            
42
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
43
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
44

            
45
#AuthorizedPrincipalsFile none
46

            
47
#AuthorizedKeysCommand none
48
#AuthorizedKeysCommandUser nobody
49

            
50
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
51
#HostbasedAuthentication no
52
# Change to yes if you don't trust ~/.ssh/known_hosts for
53
# HostbasedAuthentication
54
#IgnoreUserKnownHosts no
55
# Don't read the user's ~/.rhosts and ~/.shosts files
56
IgnoreRhosts yes
57

            
58
# To disable tunneled clear text passwords, change to no here!
59
PasswordAuthentication no
60
PermitEmptyPasswords no
61

            
62
# Change to yes to enable challenge-response passwords (beware issues with
63
# some PAM modules and threads)
64
ChallengeResponseAuthentication no
65

            
66
# Kerberos options
67
#KerberosAuthentication no
68
#KerberosOrLocalPasswd yes
69
#KerberosTicketCleanup yes
70
#KerberosGetAFSToken no
71

            
72
# GSSAPI options
73
#GSSAPIAuthentication no
74
#GSSAPICleanupCredentials yes
75
#GSSAPIStrictAcceptorCheck yes
76
#GSSAPIKeyExchange no
77

            
78
# Set this to 'yes' to enable PAM authentication, account processing,
79
# and session processing. If this is enabled, PAM authentication will
80
# be allowed through the ChallengeResponseAuthentication and
81
# PasswordAuthentication.  Depending on your PAM configuration,
82
# PAM authentication via ChallengeResponseAuthentication may bypass
83
# the setting of "PermitRootLogin without-password".
84
# If you just want the PAM account and session checks to run without
85
# PAM authentication, then enable this but set PasswordAuthentication
86
# and ChallengeResponseAuthentication to 'no'.
87
UsePAM yes
88

            
89
#AllowAgentForwarding yes
90
#AllowTcpForwarding yes
91
#GatewayPorts no
92
X11Forwarding yes
93
#X11DisplayOffset 10
94
#X11UseLocalhost yes
95
#PermitTTY yes
96
PrintMotd no
97
#PrintLastLog yes
98
#TCPKeepAlive yes
99
#PermitUserEnvironment no
100
#Compression delayed
101
#ClientAliveInterval 0
102
#ClientAliveCountMax 3
103
#UseDNS no
104
#PidFile /var/run/sshd.pid
105
#MaxStartups 10:30:100
106
#PermitTunnel no
107
#ChrootDirectory none
108
#VersionAddendum none
109

            
110
# no default banner path
111
#Banner none
112

            
113
# Allow client to pass locale environment variables
114
AcceptEnv LANG LC_*
115

            
116
# override default of no subsystems
117
Subsystem	sftp	/usr/lib/openssh/sftp-server
118

            
119
# Example of overriding settings on a per-user basis
120
#Match User anoncvs
121
#	X11Forwarding no
122
#	AllowTcpForwarding no
123
#	PermitTTY no
124
#	ForceCommand cvs server