xref: /illumos-gate/usr/src/cmd/ssh/etc/sshd_config (revision 8d2b0ea9d2a9f0e441345ec63219b0f8b91021f8)
1#
2# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# Configuration file for sshd(1m)
6
7# Protocol versions supported
8#
9# The sshd shipped in this release of Solaris has support for major versions
10# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
11# that sites run only v2 if possible. Support for v1 is provided to help sites
12# with existing ssh v1 clients/servers to transition.
13# Support for v1 may not be available in a future release of Solaris.
14#
15# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
16# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
17# do not already exist, RSA1 keys for protocol v1 are not automatically created.
18
19# Uncomment ONLY ONE of the following Protocol statements.
20
21# Only v2 (recommended)
22Protocol 2
23
24# Both v1 and v2 (not recommended)
25#Protocol 2,1
26
27# Only v1 (not recommended)
28#Protocol 1
29
30# Listen port (the IANA registered port number for ssh is 22)
31Port 22
32
33# The default listen address is all interfaces, this may need to be changed
34# if you wish to restrict the interfaces sshd listens on for a multi homed host.
35# Multiple ListenAddress entries are allowed.
36
37# IPv4 only
38#ListenAddress 0.0.0.0
39# IPv4 & IPv6
40ListenAddress ::
41
42# Port forwarding
43AllowTcpForwarding no
44
45# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
46# This allows the local port forwarding to work when connections are received
47# from any remote host.
48GatewayPorts no
49
50# X11 tunneling options
51X11Forwarding yes
52X11DisplayOffset 10
53X11UseLocalhost yes
54
55# The maximum number of concurrent unauthenticated connections to sshd.
56# start:rate:full see sshd(1) for more information.
57# The default is 10 unauthenticated clients.
58#MaxStartups 10:30:60
59
60# Banner to be printed before authentication starts.
61#Banner /etc/issue
62
63# Should sshd print the /etc/motd file and check for mail.
64# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
65PrintMotd no
66
67# KeepAlive specifies whether keep alive messages are sent to the client.
68# See sshd(1) for detailed description of what this means.
69# Note that the client may also be sending keep alive messages to the server.
70KeepAlive yes
71
72# Syslog facility and level
73SyslogFacility auth
74LogLevel info
75
76#
77# Authentication configuration
78#
79
80# Host private key files
81# Must be on a local disk and readable only by the root user (root:sys 600).
82HostKey /etc/ssh/ssh_host_rsa_key
83HostKey /etc/ssh/ssh_host_dsa_key
84
85# Length of the server key
86# Default 768, Minimum 512
87ServerKeyBits 768
88
89# sshd regenerates the key every KeyRegenerationInterval seconds.
90# The key is never stored anywhere except the memory of sshd.
91# The default is 1 hour (3600 seconds).
92KeyRegenerationInterval 3600
93
94# Ensure secure permissions on users .ssh directory.
95StrictModes yes
96
97# Length of time in seconds before a client that hasn't completed
98# authentication is disconnected.
99# Default is 600 seconds. 0 means no time limit.
100LoginGraceTime 600
101
102# Maximum number of retries for authentication
103# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
104MaxAuthTries	6
105MaxAuthTriesLog	3
106
107# Are logins to accounts with empty passwords allowed.
108# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
109# to pam_authenticate(3PAM).
110PermitEmptyPasswords no
111
112# To disable tunneled clear text passwords, change PasswordAuthentication to no.
113PasswordAuthentication yes
114
115# Use PAM via keyboard interactive method for authentication.
116# Depending on the setup of pam.conf(4) this may allow tunneled clear text
117# passwords even when PasswordAuthentication is set to no. This is dependent
118# on what the individual modules request and is out of the control of sshd
119# or the protocol.
120PAMAuthenticationViaKBDInt yes
121
122# Are root logins permitted using sshd.
123# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
124# maybe denied access by a PAM module regardless of this setting.
125# Valid options are yes, without-password, no.
126PermitRootLogin no
127
128# sftp subsystem
129Subsystem	sftp	internal-sftp
130
131
132# SSH protocol v1 specific options
133#
134# The following options only apply to the v1 protocol and provide
135# some form of backwards compatibility with the very weak security
136# of /usr/bin/rsh.  Their use is not recommended and the functionality
137# will be removed when support for v1 protocol is removed.
138
139# Should sshd use .rhosts and .shosts for password less authentication.
140IgnoreRhosts yes
141RhostsAuthentication no
142
143# Rhosts RSA Authentication
144# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
145# If the user on the client side is not root then this won't work on
146# Solaris since /usr/bin/ssh is not installed setuid.
147RhostsRSAAuthentication no
148
149# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
150#IgnoreUserKnownHosts yes
151
152# Is pure RSA authentication allowed.
153# Default is yes
154RSAAuthentication yes
155