Created
August 16, 2019 04:53
-
-
Save atErik/73e9f54bac54ef7fabbba2aaed57551e to your computer and use it in GitHub Desktop.
Server3-Debian10 / etc / ssh / sshd_config : SSH server's configuration file sshd_config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ | |
# | |
# This is the sshd server system-wide configuration file. See | |
# sshd_config(5) for more information. | |
# | |
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | |
# | |
# The strategy used for options in the default sshd_config shipped with | |
# OpenSSH is to specify options with their default value where | |
# possible, but leave them commented. Uncommented options override the | |
# default value. | |
# | |
# | |
# Lines begins with the "#" symbol are comments/notes. | |
# | |
# | |
# in SRVR3 (Server-3) "srvr3.example.com" Server: | |
# | |
Port 5022 | |
AddressFamily any | |
#ListenAddress 0.0.0.0 | |
#ListenAddress :: | |
ListenAddress SRVR3.IPv4.ADRS | |
#ListenAddress SRVR3:IPv6:ADRS1 | |
#ListenAddress SRVR3:IPv6:ADRS2 | |
# | |
# PermitTunnel : Specifies whether tun(4) device forwarding is allowed. The argument must be yes, | |
# point-to-point (layer 3), ethernet (layer 2), or no . Specifying yes permits both point-to-point and | |
# ethernet. The default is no . Independent of this setting, the permissions of the selected tun(4) device | |
# must allow access to the user. | |
# | |
Protocol 2 | |
# | |
#ServerKeyBits 16384 | |
# | |
# List of Private/Secret Keys : (the key with ".pub" at-end is public-key) | |
HostKey /etc/ssh/ssh_host_rsa_key_SRVR3 | |
##HostKey /etc/ssh/ssh_host_ecdsa_key | |
#HostKey /etc/ssh/ssh_host_ed25519_key_SRVR3 | |
# | |
# Ciphers and keying | |
#RekeyLimit default none | |
RekeyLimit 100M 1h | |
# | |
# Logging | |
SyslogFacility AUTH | |
LogLevel INFO | |
# | |
# Authentication: | |
# | |
KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256 | |
#KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,[email protected],curve25519-sha256 | |
#KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 | |
# | |
Ciphers [email protected],aes256-ctr | |
#Ciphers [email protected],aes256-ctr,[email protected] | |
# | |
MACs [email protected],hmac-sha2-512,[email protected],hmac-sha2-256 | |
# | |
# Authentication Extra: | |
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-rsa | |
#CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 | |
HostKeyAlgorithms rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected] | |
#HostKeyAlgorithms rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected] | |
#HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected] | |
#PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
# | |
#LoginGraceTime 2m | |
# PermitRootLogin : Specifies whether root can log in using ssh(1). | |
# The argument must be yes, prohibit-password, forced-commands-only, or no. | |
# The default is prohibit-password . If this option is set to prohibit-password (or its deprecated alias, | |
# without-password), password and keyboard-interactive authentication are disabled for root . If this | |
# option is set to forced-commands-only, root login with public key authentication will be allowed, but | |
# only if the command option has been specified (which may be useful for taking remote backups even if | |
# root login is normally not allowed) . All other authentication methods are disabled for root . If this | |
# option is set to no, root is not allowed to log in. | |
#PermitRootLogin prohibit-password | |
PermitRootLogin no | |
#StrictModes yes | |
#MaxAuthTries 6 | |
MaxAuthTries 4 | |
#MaxSessions 10 | |
# | |
# Expect .ssh/authorized_keys2 to be disregarded by default in future. | |
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | |
# | |
# Add user's SSH-pub-keys in their $HOME/.ssh/authorized_keys file: | |
AuthorizedKeysFile %h/.ssh/authorized_keys | |
# | |
#AuthorizedPrincipalsFile none | |
# | |
#AuthorizedKeysCommand none | |
#AuthorizedKeysCommandUser nobody | |
# | |
# AuthenticationMethods : Specifies the authentication methods that must be successfully completed for a | |
# user to be granted access. This option must be followed by one or more lists of comma-separated | |
# authentication method names, or by the single string any to indicate the default behaviour of accepting | |
# any single authentication method. If the default is overridden, then successful authentication requires | |
# completion of every method in at least one of these lists. | |
# For example, "publickey,password publickey,keyboard-interactive" would require the user to complete | |
# public key authentication, followed by either password or keyboard interactive authentication. Only | |
# methods that are next in one or more lists are offered at each stage, so for this example it would not | |
# be possible to attempt password or keyboard-interactive authentication before public key. | |
# For keyboard interactive authentication it is also possible to restrict authentication to a specific | |
# device by appending a colon followed by the device identifier bsdauth or pam. depending on the server | |
# configuration. | |
# For example, "keyboard-interactive:bsdauth" would restrict keyboard interactive authentication to the | |
# bsdauth device. | |
# If the publickey method is listed more than once, sshd(8) verifies that keys that have been used | |
# successfully are not reused for subsequent authentications. For example, "publickey,publickey" | |
# requires successful authentication using two different public keys . Note that each authentication | |
# method listed should also be explicitly enabled in the configuration . The available authentication | |
# methods are: "gssapi-with-mic", "hostbased", "keyboard-interactive", "none" (used for access to | |
# password-less accounts when "PermitEmptyPasswords" is enabled), "password" and "publickey". | |
# | |
# | |
PubkeyAuthentication yes | |
#RSAAuthentication yes | |
# | |
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
HostbasedAuthentication no | |
# Change to yes if you don't trust ~/.ssh/known_hosts for | |
# HostbasedAuthentication | |
#IgnoreUserKnownHosts no | |
# Don't read the user's ~/.rhosts and ~/.shosts files | |
IgnoreRhosts yes | |
#RhostsRSAAuthentication no | |
# | |
# To disable tunneled clear text passwords, change both to no here! | |
# (after create ssh-key in clients and after adding client's pub-key into this server) | |
PasswordAuthentication yes | |
PermitEmptyPasswords no | |
# | |
# Change to yes to enable challenge-response passwords (beware issues with | |
# some PAM modules and threads) | |
ChallengeResponseAuthentication no | |
# | |
# Kerberos options | |
KerberosAuthentication no | |
#KerberosOrLocalPasswd yes | |
#KerberosTicketCleanup yes | |
#KerberosGetAFSToken no | |
# | |
# GSSAPI options | |
GSSAPIAuthentication no | |
#GSSAPICleanupCredentials yes | |
#GSSAPIStrictAcceptorCheck yes | |
#GSSAPIKeyExchange no | |
# | |
# Set "UsePAM" to 'yes' to enable PAM authentication, account processing, | |
# and session processing. If this is enabled, PAM authentication will | |
# be allowed through the ChallengeResponseAuthentication and | |
# PasswordAuthentication. Depending on your PAM configuration, | |
# PAM authentication via ChallengeResponseAuthentication may bypass | |
# the setting of "PermitRootLogin without-password". | |
# If you just want the PAM account and session checks to run without | |
# PAM authentication, then enable this but set PasswordAuthentication | |
# and ChallengeResponseAuthentication to 'no'. | |
# UsePAM : Enables the Pluggable Authentication Module interface . If set to yes this will enable | |
# PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM | |
# account and session module processing for all authentication types . Because PAM challenge-response | |
# authentication usually serves an equivalent role to password authentication, you should disable either | |
# PasswordAuthentication or ChallengeResponseAuthentication . If UsePAM is enabled, you will not be able | |
# to run sshd(8) as a non-root user. The default is no. | |
UsePAM yes | |
# | |
#AllowAgentForwarding yes | |
#AllowTcpForwarding yes | |
#GatewayPorts no | |
#X11Forwarding yes | |
X11Forwarding no | |
#X11DisplayOffset 10 | |
#X11UseLocalhost yes | |
#PermitTTY yes | |
PrintMotd no | |
#PrintLastLog yes | |
#ClientAliveInterval 0 | |
ClientAliveInterval 30 | |
#ClientAliveCountMax 3 | |
ClientAliveCountMax 1 | |
#TCPKeepAlive yes | |
TCPKeepAlive yes | |
#PermitUserEnvironment no | |
#UsePrivilegeSeparation yes | |
Compression delayed | |
#UseDNS no | |
# UseDNS : Specifies whether sshd(8) should look up the remote host name, and to check that the resolved | |
# host name for the remote IP address maps back to the very same IP address . If this option is set to | |
# no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from | |
# and sshd_config Match Host directives. | |
UseDNS yes | |
#PidFile /var/run/sshd.pid | |
#MaxStartups 10:30:100 | |
#PermitTunnel no | |
#ChrootDirectory none | |
#VersionAddendum none | |
# | |
# no default banner path | |
Banner none | |
# | |
FingerprintHash SHA256 | |
# MaxSessions : Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions | |
# permitted per network connection. Multiple sessions may be established by clients that support | |
# connection multiplexing. | |
# Setting MaxSessions to 1 will effectively disable session multiplexing, whereas setting it to 0 will | |
# prevent all shell, login and subsystem sessions while still permitting forwarding. The default is 10. | |
# | |
# Allow client to pass locale environment variables | |
AcceptEnv LANG LC_* | |
# | |
# override default of no subsystems | |
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO | |
# | |
# Example of overriding settings on a per-user basis | |
#Match User anoncvs | |
# X11Forwarding no | |
# AllowTcpForwarding no | |
# PermitTTY no | |
# ForceCommand cvs server | |
# | |
# | |
# Match (keywords:User|Group|Host|LocalAddress|LocalPort|RDomain|Address|All) pattern | |
# Under a Match block only these keywords are allowed to override above global settings: | |
# AcceptEnv, AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, | |
# AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, | |
# AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner, | |
# ChrootDirectory, ClientAliveCountMax, ClientAliveInterval, DenyGroups, DenyUsers, ForceCommand, | |
# GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, HostbasedAuthentication, | |
# HostbasedUsesNameFromPacketOnly, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, | |
# MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitListen, PermitOpen, | |
# PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, PubkeyAuthentication, | |
# RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, | |
# X11DisplayOffset, X11Forwarding and X11UseLocalHost. | |
# | |
# | |
# From Debian-1 computer | |
Match Address DEB1.PC.IPv4.ADRS | |
#ClientAliveInterval 0 | |
ClientAliveInterval 30 | |
#ClientAliveCountMax 3 | |
ClientAliveCountMax 1 | |
PubkeyAuthentication yes | |
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected] | |
HostbasedAuthentication yes | |
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected] | |
PasswordAuthentication no | |
PermitRootLogin yes | |
MaxAuthTries 10 | |
# | |
# | |
# From Debian-2 computer | |
Match Address DEB2.PC.IPv4.ADRS | |
#ClientAliveInterval 0 | |
ClientAliveInterval 30 | |
#ClientAliveCountMax 3 | |
ClientAliveCountMax 1 | |
PubkeyAuthentication yes | |
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected] | |
HostbasedAuthentication yes | |
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected] | |
PasswordAuthentication no | |
PermitRootLogin yes | |
MaxAuthTries 10 | |
# | |
# | |
# For macOS clients/computers, keep "ssh-rsa" included: | |
Match Address AtErikLoc1.IPv4.ADRS,AtErikLoc2.IPv4.ADRS User root | |
#ClientAliveInterval 0 | |
ClientAliveInterval 18 | |
#ClientAliveCountMax 3 | |
ClientAliveCountMax 2 | |
PubkeyAuthentication yes | |
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected] | |
#PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected] | |
#PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
HostbasedAuthentication yes | |
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected] | |
#HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected] | |
#HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
PasswordAuthentication no | |
PermitRootLogin yes | |
MaxAuthTries 10 | |
# | |
# | |
Match Address AtErikLoc1.IPv4.ADRS,AtErikLoc2.IPv4.ADRS User erik | |
#ClientAliveInterval 0 | |
ClientAliveInterval 18 | |
#ClientAliveCountMax 3 | |
ClientAliveCountMax 2 | |
PubkeyAuthentication yes | |
PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected] | |
#PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
HostbasedAuthentication no | |
HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected] | |
#HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected] | |
PasswordAuthentication no | |
PermitRootLogin no | |
MaxAuthTries 10 | |
# | |
# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment