xref: /illumos-gate/usr/src/cmd/ssh/etc/sshd_config (revision d29f5a711240f866521445b1656d114da090335e)
1#
2# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# ident	"%Z%%M%	%I%	%E% SMI"
6#
7# Configuration file for sshd(1m)
8
9# Protocol versions supported
10#
11# The sshd shipped in this release of Solaris has support for major versions
12# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
13# that sites run only v2 if possible. Support for v1 is provided to help sites
14# with existing ssh v1 clients/servers to transition.
15# Support for v1 may not be available in a future release of Solaris.
16#
17# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
18# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
19# do not already exist, RSA1 keys for protocol v1 are not automatically created.
20
21# Uncomment ONLY ONE of the following Protocol statements.
22
23# Only v2 (recommended)
24Protocol 2
25
26# Both v1 and v2 (not recommended)
27#Protocol 2,1
28
29# Only v1 (not recommended)
30#Protocol 1
31
32# Listen port (the IANA registered port number for ssh is 22)
33Port 22
34
35# The default listen address is all interfaces, this may need to be changed
36# if you wish to restrict the interfaces sshd listens on for a multi homed host.
37# Multiple ListenAddress entries are allowed.
38
39# IPv4 only
40#ListenAddress 0.0.0.0
41# IPv4 & IPv6
42ListenAddress ::
43
44# Port forwarding
45AllowTcpForwarding no
46
47# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
48# This allows the local port forwarding to work when connections are received
49# from any remote host.
50GatewayPorts no
51
52# X11 tunneling options
53X11Forwarding yes
54X11DisplayOffset 10
55X11UseLocalhost yes
56
57# The maximum number of concurrent unauthenticated connections to sshd.
58# start:rate:full see sshd(1) for more information.
59# The default is 10 unauthenticated clients.
60#MaxStartups 10:30:60
61
62# Banner to be printed before authentication starts.
63#Banner /etc/issue
64
65# Should sshd print the /etc/motd file and check for mail.
66# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
67PrintMotd no
68
69# KeepAlive specifies whether keep alive messages are sent to the client.
70# See sshd(1) for detailed description of what this means.
71# Note that the client may also be sending keep alive messages to the server.
72KeepAlive yes
73
74# Syslog facility and level
75SyslogFacility auth
76LogLevel info
77
78#
79# Authentication configuration
80#
81
82# Host private key files
83# Must be on a local disk and readable only by the root user (root:sys 600).
84HostKey /etc/ssh/ssh_host_rsa_key
85HostKey /etc/ssh/ssh_host_dsa_key
86
87# Default Encryption algorithms and Message Authentication codes
88#Ciphers   aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
89#MACS   hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
90
91# Length of the server key
92# Default 768, Minimum 512
93ServerKeyBits 768
94
95# sshd regenerates the key every KeyRegenerationInterval seconds.
96# The key is never stored anywhere except the memory of sshd.
97# The default is 1 hour (3600 seconds).
98KeyRegenerationInterval 3600
99
100# Ensure secure permissions on users .ssh directory.
101StrictModes yes
102
103# Length of time in seconds before a client that hasn't completed
104# authentication is disconnected.
105# Default is 600 seconds. 0 means no time limit.
106LoginGraceTime 600
107
108# Maximum number of retries for authentication
109# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
110MaxAuthTries	6
111MaxAuthTriesLog	3
112
113# Are logins to accounts with empty passwords allowed.
114# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
115# to pam_authenticate(3PAM).
116PermitEmptyPasswords no
117
118# To disable tunneled clear text passwords, change PasswordAuthentication to no.
119PasswordAuthentication yes
120
121# Use PAM via keyboard interactive method for authentication.
122# Depending on the setup of pam.conf(4) this may allow tunneled clear text
123# passwords even when PasswordAuthentication is set to no. This is dependent
124# on what the individual modules request and is out of the control of sshd
125# or the protocol.
126PAMAuthenticationViaKBDInt yes
127
128# Are root logins permitted using sshd.
129# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
130# maybe denied access by a PAM module regardless of this setting.
131# Valid options are yes, without-password, no.
132PermitRootLogin no
133
134# sftp subsystem
135Subsystem	sftp	/usr/lib/ssh/sftp-server
136
137
138# SSH protocol v1 specific options
139#
140# The following options only apply to the v1 protocol and provide
141# some form of backwards compatibility with the very weak security
142# of /usr/bin/rsh.  Their use is not recommended and the functionality
143# will be removed when support for v1 protocol is removed.
144
145# Should sshd use .rhosts and .shosts for password less authentication.
146IgnoreRhosts yes
147RhostsAuthentication no
148
149# Rhosts RSA Authentication
150# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
151# If the user on the client side is not root then this won't work on
152# Solaris since /usr/bin/ssh is not installed setuid.
153RhostsRSAAuthentication no
154
155# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
156#IgnoreUserKnownHosts yes
157
158# Is pure RSA authentication allowed.
159# Default is yes
160RSAAuthentication yes
161