xref: /onnv-gate/usr/src/cmd/ssh/etc/sshd_config (revision 12597:5fdb1d206be4)
10Sstevel@tonic-gate#
2*12597SJan.Pechanec@Sun.COM# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
30Sstevel@tonic-gate#
49939SHuie-Ying.Lee@Sun.COM# Configuration file for sshd(1m) (see also sshd_config(4))
5*12597SJan.Pechanec@Sun.COM#
60Sstevel@tonic-gate
70Sstevel@tonic-gate# Protocol versions supported
80Sstevel@tonic-gate#
90Sstevel@tonic-gate# The sshd shipped in this release of Solaris has support for major versions
100Sstevel@tonic-gate# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
110Sstevel@tonic-gate# that sites run only v2 if possible. Support for v1 is provided to help sites
120Sstevel@tonic-gate# with existing ssh v1 clients/servers to transition.
130Sstevel@tonic-gate# Support for v1 may not be available in a future release of Solaris.
140Sstevel@tonic-gate#
150Sstevel@tonic-gate# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
160Sstevel@tonic-gate# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
170Sstevel@tonic-gate# do not already exist, RSA1 keys for protocol v1 are not automatically created.
180Sstevel@tonic-gate
190Sstevel@tonic-gate# Uncomment ONLY ONE of the following Protocol statements.
200Sstevel@tonic-gate
210Sstevel@tonic-gate# Only v2 (recommended)
220Sstevel@tonic-gateProtocol 2
230Sstevel@tonic-gate
240Sstevel@tonic-gate# Both v1 and v2 (not recommended)
250Sstevel@tonic-gate#Protocol 2,1
260Sstevel@tonic-gate
270Sstevel@tonic-gate# Only v1 (not recommended)
280Sstevel@tonic-gate#Protocol 1
290Sstevel@tonic-gate
300Sstevel@tonic-gate# Listen port (the IANA registered port number for ssh is 22)
310Sstevel@tonic-gatePort 22
320Sstevel@tonic-gate
330Sstevel@tonic-gate# The default listen address is all interfaces, this may need to be changed
340Sstevel@tonic-gate# if you wish to restrict the interfaces sshd listens on for a multi homed host.
350Sstevel@tonic-gate# Multiple ListenAddress entries are allowed.
360Sstevel@tonic-gate
370Sstevel@tonic-gate# IPv4 only
380Sstevel@tonic-gate#ListenAddress 0.0.0.0
390Sstevel@tonic-gate# IPv4 & IPv6
400Sstevel@tonic-gateListenAddress ::
410Sstevel@tonic-gate
429939SHuie-Ying.Lee@Sun.COM# If port forwarding is enabled (default), specify if the server can bind to
439939SHuie-Ying.Lee@Sun.COM# INADDR_ANY.
440Sstevel@tonic-gate# This allows the local port forwarding to work when connections are received
450Sstevel@tonic-gate# from any remote host.
460Sstevel@tonic-gateGatewayPorts no
470Sstevel@tonic-gate
480Sstevel@tonic-gate# X11 tunneling options
490Sstevel@tonic-gateX11Forwarding yes
500Sstevel@tonic-gateX11DisplayOffset 10
510Sstevel@tonic-gateX11UseLocalhost yes
520Sstevel@tonic-gate
530Sstevel@tonic-gate# The maximum number of concurrent unauthenticated connections to sshd.
540Sstevel@tonic-gate# start:rate:full see sshd(1) for more information.
550Sstevel@tonic-gate# The default is 10 unauthenticated clients.
560Sstevel@tonic-gate#MaxStartups 10:30:60
570Sstevel@tonic-gate
580Sstevel@tonic-gate# Banner to be printed before authentication starts.
590Sstevel@tonic-gate#Banner /etc/issue
600Sstevel@tonic-gate
610Sstevel@tonic-gate# Should sshd print the /etc/motd file and check for mail.
620Sstevel@tonic-gate# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
630Sstevel@tonic-gatePrintMotd no
640Sstevel@tonic-gate
650Sstevel@tonic-gate# KeepAlive specifies whether keep alive messages are sent to the client.
660Sstevel@tonic-gate# See sshd(1) for detailed description of what this means.
670Sstevel@tonic-gate# Note that the client may also be sending keep alive messages to the server.
680Sstevel@tonic-gateKeepAlive yes
690Sstevel@tonic-gate
700Sstevel@tonic-gate# Syslog facility and level
710Sstevel@tonic-gateSyslogFacility auth
720Sstevel@tonic-gateLogLevel info
730Sstevel@tonic-gate
740Sstevel@tonic-gate#
750Sstevel@tonic-gate# Authentication configuration
760Sstevel@tonic-gate#
770Sstevel@tonic-gate
780Sstevel@tonic-gate# Host private key files
790Sstevel@tonic-gate# Must be on a local disk and readable only by the root user (root:sys 600).
800Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_rsa_key
810Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_dsa_key
820Sstevel@tonic-gate
830Sstevel@tonic-gate# Length of the server key
840Sstevel@tonic-gate# Default 768, Minimum 512
850Sstevel@tonic-gateServerKeyBits 768
860Sstevel@tonic-gate
870Sstevel@tonic-gate# sshd regenerates the key every KeyRegenerationInterval seconds.
880Sstevel@tonic-gate# The key is never stored anywhere except the memory of sshd.
890Sstevel@tonic-gate# The default is 1 hour (3600 seconds).
900Sstevel@tonic-gateKeyRegenerationInterval 3600
910Sstevel@tonic-gate
920Sstevel@tonic-gate# Ensure secure permissions on users .ssh directory.
930Sstevel@tonic-gateStrictModes yes
940Sstevel@tonic-gate
950Sstevel@tonic-gate# Length of time in seconds before a client that hasn't completed
960Sstevel@tonic-gate# authentication is disconnected.
970Sstevel@tonic-gate# Default is 600 seconds. 0 means no time limit.
980Sstevel@tonic-gateLoginGraceTime 600
990Sstevel@tonic-gate
1000Sstevel@tonic-gate# Maximum number of retries for authentication
1010Sstevel@tonic-gate# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
1020Sstevel@tonic-gateMaxAuthTries	6
1030Sstevel@tonic-gateMaxAuthTriesLog	3
1040Sstevel@tonic-gate
1050Sstevel@tonic-gate# Are logins to accounts with empty passwords allowed.
1060Sstevel@tonic-gate# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
1070Sstevel@tonic-gate# to pam_authenticate(3PAM).
1080Sstevel@tonic-gatePermitEmptyPasswords no
1090Sstevel@tonic-gate
1100Sstevel@tonic-gate# To disable tunneled clear text passwords, change PasswordAuthentication to no.
1110Sstevel@tonic-gatePasswordAuthentication yes
1120Sstevel@tonic-gate
1130Sstevel@tonic-gate# Are root logins permitted using sshd.
1140Sstevel@tonic-gate# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
1150Sstevel@tonic-gate# maybe denied access by a PAM module regardless of this setting.
1160Sstevel@tonic-gate# Valid options are yes, without-password, no.
1170Sstevel@tonic-gatePermitRootLogin no
1180Sstevel@tonic-gate
1190Sstevel@tonic-gate# sftp subsystem
1209139SJan.Pechanec@Sun.COMSubsystem	sftp	internal-sftp
1210Sstevel@tonic-gate
1220Sstevel@tonic-gate
1230Sstevel@tonic-gate# SSH protocol v1 specific options
1240Sstevel@tonic-gate#
1250Sstevel@tonic-gate# The following options only apply to the v1 protocol and provide
1260Sstevel@tonic-gate# some form of backwards compatibility with the very weak security
1270Sstevel@tonic-gate# of /usr/bin/rsh.  Their use is not recommended and the functionality
1280Sstevel@tonic-gate# will be removed when support for v1 protocol is removed.
1290Sstevel@tonic-gate
1300Sstevel@tonic-gate# Should sshd use .rhosts and .shosts for password less authentication.
1310Sstevel@tonic-gateIgnoreRhosts yes
1320Sstevel@tonic-gateRhostsAuthentication no
1330Sstevel@tonic-gate
1340Sstevel@tonic-gate# Rhosts RSA Authentication
1350Sstevel@tonic-gate# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
1360Sstevel@tonic-gate# If the user on the client side is not root then this won't work on
1370Sstevel@tonic-gate# Solaris since /usr/bin/ssh is not installed setuid.
1380Sstevel@tonic-gateRhostsRSAAuthentication no
1390Sstevel@tonic-gate
1400Sstevel@tonic-gate# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
1410Sstevel@tonic-gate#IgnoreUserKnownHosts yes
1420Sstevel@tonic-gate
1430Sstevel@tonic-gate# Is pure RSA authentication allowed.
1440Sstevel@tonic-gate# Default is yes
1450Sstevel@tonic-gateRSAAuthentication yes
146