10Sstevel@tonic-gate# 2*12597SJan.Pechanec@Sun.COM# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 30Sstevel@tonic-gate# 49939SHuie-Ying.Lee@Sun.COM# Configuration file for sshd(1m) (see also sshd_config(4)) 5*12597SJan.Pechanec@Sun.COM# 60Sstevel@tonic-gate 70Sstevel@tonic-gate# Protocol versions supported 80Sstevel@tonic-gate# 90Sstevel@tonic-gate# The sshd shipped in this release of Solaris has support for major versions 100Sstevel@tonic-gate# 1 and 2. It is recommended due to security weaknesses in the v1 protocol 110Sstevel@tonic-gate# that sites run only v2 if possible. Support for v1 is provided to help sites 120Sstevel@tonic-gate# with existing ssh v1 clients/servers to transition. 130Sstevel@tonic-gate# Support for v1 may not be available in a future release of Solaris. 140Sstevel@tonic-gate# 150Sstevel@tonic-gate# To enable support for v1 an RSA1 key must be created with ssh-keygen(1). 160Sstevel@tonic-gate# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they 170Sstevel@tonic-gate# do not already exist, RSA1 keys for protocol v1 are not automatically created. 180Sstevel@tonic-gate 190Sstevel@tonic-gate# Uncomment ONLY ONE of the following Protocol statements. 200Sstevel@tonic-gate 210Sstevel@tonic-gate# Only v2 (recommended) 220Sstevel@tonic-gateProtocol 2 230Sstevel@tonic-gate 240Sstevel@tonic-gate# Both v1 and v2 (not recommended) 250Sstevel@tonic-gate#Protocol 2,1 260Sstevel@tonic-gate 270Sstevel@tonic-gate# Only v1 (not recommended) 280Sstevel@tonic-gate#Protocol 1 290Sstevel@tonic-gate 300Sstevel@tonic-gate# Listen port (the IANA registered port number for ssh is 22) 310Sstevel@tonic-gatePort 22 320Sstevel@tonic-gate 330Sstevel@tonic-gate# The default listen address is all interfaces, this may need to be changed 340Sstevel@tonic-gate# if you wish to restrict the interfaces sshd listens on for a multi homed host. 350Sstevel@tonic-gate# Multiple ListenAddress entries are allowed. 360Sstevel@tonic-gate 370Sstevel@tonic-gate# IPv4 only 380Sstevel@tonic-gate#ListenAddress 0.0.0.0 390Sstevel@tonic-gate# IPv4 & IPv6 400Sstevel@tonic-gateListenAddress :: 410Sstevel@tonic-gate 429939SHuie-Ying.Lee@Sun.COM# If port forwarding is enabled (default), specify if the server can bind to 439939SHuie-Ying.Lee@Sun.COM# INADDR_ANY. 440Sstevel@tonic-gate# This allows the local port forwarding to work when connections are received 450Sstevel@tonic-gate# from any remote host. 460Sstevel@tonic-gateGatewayPorts no 470Sstevel@tonic-gate 480Sstevel@tonic-gate# X11 tunneling options 490Sstevel@tonic-gateX11Forwarding yes 500Sstevel@tonic-gateX11DisplayOffset 10 510Sstevel@tonic-gateX11UseLocalhost yes 520Sstevel@tonic-gate 530Sstevel@tonic-gate# The maximum number of concurrent unauthenticated connections to sshd. 540Sstevel@tonic-gate# start:rate:full see sshd(1) for more information. 550Sstevel@tonic-gate# The default is 10 unauthenticated clients. 560Sstevel@tonic-gate#MaxStartups 10:30:60 570Sstevel@tonic-gate 580Sstevel@tonic-gate# Banner to be printed before authentication starts. 590Sstevel@tonic-gate#Banner /etc/issue 600Sstevel@tonic-gate 610Sstevel@tonic-gate# Should sshd print the /etc/motd file and check for mail. 620Sstevel@tonic-gate# On Solaris it is assumed that the login shell will do these (eg /etc/profile). 630Sstevel@tonic-gatePrintMotd no 640Sstevel@tonic-gate 650Sstevel@tonic-gate# KeepAlive specifies whether keep alive messages are sent to the client. 660Sstevel@tonic-gate# See sshd(1) for detailed description of what this means. 670Sstevel@tonic-gate# Note that the client may also be sending keep alive messages to the server. 680Sstevel@tonic-gateKeepAlive yes 690Sstevel@tonic-gate 700Sstevel@tonic-gate# Syslog facility and level 710Sstevel@tonic-gateSyslogFacility auth 720Sstevel@tonic-gateLogLevel info 730Sstevel@tonic-gate 740Sstevel@tonic-gate# 750Sstevel@tonic-gate# Authentication configuration 760Sstevel@tonic-gate# 770Sstevel@tonic-gate 780Sstevel@tonic-gate# Host private key files 790Sstevel@tonic-gate# Must be on a local disk and readable only by the root user (root:sys 600). 800Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_rsa_key 810Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_dsa_key 820Sstevel@tonic-gate 830Sstevel@tonic-gate# Length of the server key 840Sstevel@tonic-gate# Default 768, Minimum 512 850Sstevel@tonic-gateServerKeyBits 768 860Sstevel@tonic-gate 870Sstevel@tonic-gate# sshd regenerates the key every KeyRegenerationInterval seconds. 880Sstevel@tonic-gate# The key is never stored anywhere except the memory of sshd. 890Sstevel@tonic-gate# The default is 1 hour (3600 seconds). 900Sstevel@tonic-gateKeyRegenerationInterval 3600 910Sstevel@tonic-gate 920Sstevel@tonic-gate# Ensure secure permissions on users .ssh directory. 930Sstevel@tonic-gateStrictModes yes 940Sstevel@tonic-gate 950Sstevel@tonic-gate# Length of time in seconds before a client that hasn't completed 960Sstevel@tonic-gate# authentication is disconnected. 970Sstevel@tonic-gate# Default is 600 seconds. 0 means no time limit. 980Sstevel@tonic-gateLoginGraceTime 600 990Sstevel@tonic-gate 1000Sstevel@tonic-gate# Maximum number of retries for authentication 1010Sstevel@tonic-gate# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2 1020Sstevel@tonic-gateMaxAuthTries 6 1030Sstevel@tonic-gateMaxAuthTriesLog 3 1040Sstevel@tonic-gate 1050Sstevel@tonic-gate# Are logins to accounts with empty passwords allowed. 1060Sstevel@tonic-gate# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK 1070Sstevel@tonic-gate# to pam_authenticate(3PAM). 1080Sstevel@tonic-gatePermitEmptyPasswords no 1090Sstevel@tonic-gate 1100Sstevel@tonic-gate# To disable tunneled clear text passwords, change PasswordAuthentication to no. 1110Sstevel@tonic-gatePasswordAuthentication yes 1120Sstevel@tonic-gate 1130Sstevel@tonic-gate# Are root logins permitted using sshd. 1140Sstevel@tonic-gate# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user 1150Sstevel@tonic-gate# maybe denied access by a PAM module regardless of this setting. 1160Sstevel@tonic-gate# Valid options are yes, without-password, no. 1170Sstevel@tonic-gatePermitRootLogin no 1180Sstevel@tonic-gate 1190Sstevel@tonic-gate# sftp subsystem 1209139SJan.Pechanec@Sun.COMSubsystem sftp internal-sftp 1210Sstevel@tonic-gate 1220Sstevel@tonic-gate 1230Sstevel@tonic-gate# SSH protocol v1 specific options 1240Sstevel@tonic-gate# 1250Sstevel@tonic-gate# The following options only apply to the v1 protocol and provide 1260Sstevel@tonic-gate# some form of backwards compatibility with the very weak security 1270Sstevel@tonic-gate# of /usr/bin/rsh. Their use is not recommended and the functionality 1280Sstevel@tonic-gate# will be removed when support for v1 protocol is removed. 1290Sstevel@tonic-gate 1300Sstevel@tonic-gate# Should sshd use .rhosts and .shosts for password less authentication. 1310Sstevel@tonic-gateIgnoreRhosts yes 1320Sstevel@tonic-gateRhostsAuthentication no 1330Sstevel@tonic-gate 1340Sstevel@tonic-gate# Rhosts RSA Authentication 1350Sstevel@tonic-gate# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts. 1360Sstevel@tonic-gate# If the user on the client side is not root then this won't work on 1370Sstevel@tonic-gate# Solaris since /usr/bin/ssh is not installed setuid. 1380Sstevel@tonic-gateRhostsRSAAuthentication no 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. 1410Sstevel@tonic-gate#IgnoreUserKnownHosts yes 1420Sstevel@tonic-gate 1430Sstevel@tonic-gate# Is pure RSA authentication allowed. 1440Sstevel@tonic-gate# Default is yes 1450Sstevel@tonic-gateRSAAuthentication yes 146