1# 2# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3# Use is subject to license terms. 4# 5# Configuration file for sshd(1m) 6 7# Protocol versions supported 8# 9# The sshd shipped in this release of Solaris has support for major versions 10# 1 and 2. It is recommended due to security weaknesses in the v1 protocol 11# that sites run only v2 if possible. Support for v1 is provided to help sites 12# with existing ssh v1 clients/servers to transition. 13# Support for v1 may not be available in a future release of Solaris. 14# 15# To enable support for v1 an RSA1 key must be created with ssh-keygen(1). 16# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they 17# do not already exist, RSA1 keys for protocol v1 are not automatically created. 18 19# Uncomment ONLY ONE of the following Protocol statements. 20 21# Only v2 (recommended) 22Protocol 2 23 24# Both v1 and v2 (not recommended) 25#Protocol 2,1 26 27# Only v1 (not recommended) 28#Protocol 1 29 30# Listen port (the IANA registered port number for ssh is 22) 31Port 22 32 33# The default listen address is all interfaces, this may need to be changed 34# if you wish to restrict the interfaces sshd listens on for a multi homed host. 35# Multiple ListenAddress entries are allowed. 36 37# IPv4 only 38#ListenAddress 0.0.0.0 39# IPv4 & IPv6 40ListenAddress :: 41 42# Port forwarding 43AllowTcpForwarding no 44 45# If port forwarding is enabled, specify if the server can bind to INADDR_ANY. 46# This allows the local port forwarding to work when connections are received 47# from any remote host. 48GatewayPorts no 49 50# X11 tunneling options 51X11Forwarding yes 52X11DisplayOffset 10 53X11UseLocalhost yes 54 55# The maximum number of concurrent unauthenticated connections to sshd. 56# start:rate:full see sshd(1) for more information. 57# The default is 10 unauthenticated clients. 58#MaxStartups 10:30:60 59 60# Banner to be printed before authentication starts. 61#Banner /etc/issue 62 63# Should sshd print the /etc/motd file and check for mail. 64# On Solaris it is assumed that the login shell will do these (eg /etc/profile). 65PrintMotd no 66 67# KeepAlive specifies whether keep alive messages are sent to the client. 68# See sshd(1) for detailed description of what this means. 69# Note that the client may also be sending keep alive messages to the server. 70KeepAlive yes 71 72# Syslog facility and level 73SyslogFacility auth 74LogLevel info 75 76# 77# Authentication configuration 78# 79 80# Host private key files 81# Must be on a local disk and readable only by the root user (root:sys 600). 82HostKey /etc/ssh/ssh_host_rsa_key 83HostKey /etc/ssh/ssh_host_dsa_key 84 85# Length of the server key 86# Default 768, Minimum 512 87ServerKeyBits 768 88 89# sshd regenerates the key every KeyRegenerationInterval seconds. 90# The key is never stored anywhere except the memory of sshd. 91# The default is 1 hour (3600 seconds). 92KeyRegenerationInterval 3600 93 94# Ensure secure permissions on users .ssh directory. 95StrictModes yes 96 97# Length of time in seconds before a client that hasn't completed 98# authentication is disconnected. 99# Default is 600 seconds. 0 means no time limit. 100LoginGraceTime 600 101 102# Maximum number of retries for authentication 103# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2 104MaxAuthTries 6 105MaxAuthTriesLog 3 106 107# Are logins to accounts with empty passwords allowed. 108# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK 109# to pam_authenticate(3PAM). 110PermitEmptyPasswords no 111 112# To disable tunneled clear text passwords, change PasswordAuthentication to no. 113PasswordAuthentication yes 114 115# Use PAM via keyboard interactive method for authentication. 116# Depending on the setup of pam.conf(4) this may allow tunneled clear text 117# passwords even when PasswordAuthentication is set to no. This is dependent 118# on what the individual modules request and is out of the control of sshd 119# or the protocol. 120PAMAuthenticationViaKBDInt yes 121 122# Are root logins permitted using sshd. 123# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user 124# maybe denied access by a PAM module regardless of this setting. 125# Valid options are yes, without-password, no. 126PermitRootLogin no 127 128# sftp subsystem 129Subsystem sftp internal-sftp 130 131 132# SSH protocol v1 specific options 133# 134# The following options only apply to the v1 protocol and provide 135# some form of backwards compatibility with the very weak security 136# of /usr/bin/rsh. Their use is not recommended and the functionality 137# will be removed when support for v1 protocol is removed. 138 139# Should sshd use .rhosts and .shosts for password less authentication. 140IgnoreRhosts yes 141RhostsAuthentication no 142 143# Rhosts RSA Authentication 144# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts. 145# If the user on the client side is not root then this won't work on 146# Solaris since /usr/bin/ssh is not installed setuid. 147RhostsRSAAuthentication no 148 149# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. 150#IgnoreUserKnownHosts yes 151 152# Is pure RSA authentication allowed. 153# Default is yes 154RSAAuthentication yes 155