10Sstevel@tonic-gate# 2*9139SJan.Pechanec@Sun.COM# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 30Sstevel@tonic-gate# Use is subject to license terms. 40Sstevel@tonic-gate# 50Sstevel@tonic-gate# Configuration file for sshd(1m) 60Sstevel@tonic-gate 70Sstevel@tonic-gate# Protocol versions supported 80Sstevel@tonic-gate# 90Sstevel@tonic-gate# The sshd shipped in this release of Solaris has support for major versions 100Sstevel@tonic-gate# 1 and 2. It is recommended due to security weaknesses in the v1 protocol 110Sstevel@tonic-gate# that sites run only v2 if possible. Support for v1 is provided to help sites 120Sstevel@tonic-gate# with existing ssh v1 clients/servers to transition. 130Sstevel@tonic-gate# Support for v1 may not be available in a future release of Solaris. 140Sstevel@tonic-gate# 150Sstevel@tonic-gate# To enable support for v1 an RSA1 key must be created with ssh-keygen(1). 160Sstevel@tonic-gate# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they 170Sstevel@tonic-gate# do not already exist, RSA1 keys for protocol v1 are not automatically created. 180Sstevel@tonic-gate 190Sstevel@tonic-gate# Uncomment ONLY ONE of the following Protocol statements. 200Sstevel@tonic-gate 210Sstevel@tonic-gate# Only v2 (recommended) 220Sstevel@tonic-gateProtocol 2 230Sstevel@tonic-gate 240Sstevel@tonic-gate# Both v1 and v2 (not recommended) 250Sstevel@tonic-gate#Protocol 2,1 260Sstevel@tonic-gate 270Sstevel@tonic-gate# Only v1 (not recommended) 280Sstevel@tonic-gate#Protocol 1 290Sstevel@tonic-gate 300Sstevel@tonic-gate# Listen port (the IANA registered port number for ssh is 22) 310Sstevel@tonic-gatePort 22 320Sstevel@tonic-gate 330Sstevel@tonic-gate# The default listen address is all interfaces, this may need to be changed 340Sstevel@tonic-gate# if you wish to restrict the interfaces sshd listens on for a multi homed host. 350Sstevel@tonic-gate# Multiple ListenAddress entries are allowed. 360Sstevel@tonic-gate 370Sstevel@tonic-gate# IPv4 only 380Sstevel@tonic-gate#ListenAddress 0.0.0.0 390Sstevel@tonic-gate# IPv4 & IPv6 400Sstevel@tonic-gateListenAddress :: 410Sstevel@tonic-gate 420Sstevel@tonic-gate# Port forwarding 430Sstevel@tonic-gateAllowTcpForwarding no 440Sstevel@tonic-gate 450Sstevel@tonic-gate# If port forwarding is enabled, specify if the server can bind to INADDR_ANY. 460Sstevel@tonic-gate# This allows the local port forwarding to work when connections are received 470Sstevel@tonic-gate# from any remote host. 480Sstevel@tonic-gateGatewayPorts no 490Sstevel@tonic-gate 500Sstevel@tonic-gate# X11 tunneling options 510Sstevel@tonic-gateX11Forwarding yes 520Sstevel@tonic-gateX11DisplayOffset 10 530Sstevel@tonic-gateX11UseLocalhost yes 540Sstevel@tonic-gate 550Sstevel@tonic-gate# The maximum number of concurrent unauthenticated connections to sshd. 560Sstevel@tonic-gate# start:rate:full see sshd(1) for more information. 570Sstevel@tonic-gate# The default is 10 unauthenticated clients. 580Sstevel@tonic-gate#MaxStartups 10:30:60 590Sstevel@tonic-gate 600Sstevel@tonic-gate# Banner to be printed before authentication starts. 610Sstevel@tonic-gate#Banner /etc/issue 620Sstevel@tonic-gate 630Sstevel@tonic-gate# Should sshd print the /etc/motd file and check for mail. 640Sstevel@tonic-gate# On Solaris it is assumed that the login shell will do these (eg /etc/profile). 650Sstevel@tonic-gatePrintMotd no 660Sstevel@tonic-gate 670Sstevel@tonic-gate# KeepAlive specifies whether keep alive messages are sent to the client. 680Sstevel@tonic-gate# See sshd(1) for detailed description of what this means. 690Sstevel@tonic-gate# Note that the client may also be sending keep alive messages to the server. 700Sstevel@tonic-gateKeepAlive yes 710Sstevel@tonic-gate 720Sstevel@tonic-gate# Syslog facility and level 730Sstevel@tonic-gateSyslogFacility auth 740Sstevel@tonic-gateLogLevel info 750Sstevel@tonic-gate 760Sstevel@tonic-gate# 770Sstevel@tonic-gate# Authentication configuration 780Sstevel@tonic-gate# 790Sstevel@tonic-gate 800Sstevel@tonic-gate# Host private key files 810Sstevel@tonic-gate# Must be on a local disk and readable only by the root user (root:sys 600). 820Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_rsa_key 830Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_dsa_key 840Sstevel@tonic-gate 850Sstevel@tonic-gate# Length of the server key 860Sstevel@tonic-gate# Default 768, Minimum 512 870Sstevel@tonic-gateServerKeyBits 768 880Sstevel@tonic-gate 890Sstevel@tonic-gate# sshd regenerates the key every KeyRegenerationInterval seconds. 900Sstevel@tonic-gate# The key is never stored anywhere except the memory of sshd. 910Sstevel@tonic-gate# The default is 1 hour (3600 seconds). 920Sstevel@tonic-gateKeyRegenerationInterval 3600 930Sstevel@tonic-gate 940Sstevel@tonic-gate# Ensure secure permissions on users .ssh directory. 950Sstevel@tonic-gateStrictModes yes 960Sstevel@tonic-gate 970Sstevel@tonic-gate# Length of time in seconds before a client that hasn't completed 980Sstevel@tonic-gate# authentication is disconnected. 990Sstevel@tonic-gate# Default is 600 seconds. 0 means no time limit. 1000Sstevel@tonic-gateLoginGraceTime 600 1010Sstevel@tonic-gate 1020Sstevel@tonic-gate# Maximum number of retries for authentication 1030Sstevel@tonic-gate# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2 1040Sstevel@tonic-gateMaxAuthTries 6 1050Sstevel@tonic-gateMaxAuthTriesLog 3 1060Sstevel@tonic-gate 1070Sstevel@tonic-gate# Are logins to accounts with empty passwords allowed. 1080Sstevel@tonic-gate# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK 1090Sstevel@tonic-gate# to pam_authenticate(3PAM). 1100Sstevel@tonic-gatePermitEmptyPasswords no 1110Sstevel@tonic-gate 1120Sstevel@tonic-gate# To disable tunneled clear text passwords, change PasswordAuthentication to no. 1130Sstevel@tonic-gatePasswordAuthentication yes 1140Sstevel@tonic-gate 1150Sstevel@tonic-gate# Use PAM via keyboard interactive method for authentication. 1160Sstevel@tonic-gate# Depending on the setup of pam.conf(4) this may allow tunneled clear text 1170Sstevel@tonic-gate# passwords even when PasswordAuthentication is set to no. This is dependent 1180Sstevel@tonic-gate# on what the individual modules request and is out of the control of sshd 1190Sstevel@tonic-gate# or the protocol. 1200Sstevel@tonic-gatePAMAuthenticationViaKBDInt yes 1210Sstevel@tonic-gate 1220Sstevel@tonic-gate# Are root logins permitted using sshd. 1230Sstevel@tonic-gate# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user 1240Sstevel@tonic-gate# maybe denied access by a PAM module regardless of this setting. 1250Sstevel@tonic-gate# Valid options are yes, without-password, no. 1260Sstevel@tonic-gatePermitRootLogin no 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate# sftp subsystem 129*9139SJan.Pechanec@Sun.COMSubsystem sftp internal-sftp 1300Sstevel@tonic-gate 1310Sstevel@tonic-gate 1320Sstevel@tonic-gate# SSH protocol v1 specific options 1330Sstevel@tonic-gate# 1340Sstevel@tonic-gate# The following options only apply to the v1 protocol and provide 1350Sstevel@tonic-gate# some form of backwards compatibility with the very weak security 1360Sstevel@tonic-gate# of /usr/bin/rsh. Their use is not recommended and the functionality 1370Sstevel@tonic-gate# will be removed when support for v1 protocol is removed. 1380Sstevel@tonic-gate 1390Sstevel@tonic-gate# Should sshd use .rhosts and .shosts for password less authentication. 1400Sstevel@tonic-gateIgnoreRhosts yes 1410Sstevel@tonic-gateRhostsAuthentication no 1420Sstevel@tonic-gate 1430Sstevel@tonic-gate# Rhosts RSA Authentication 1440Sstevel@tonic-gate# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts. 1450Sstevel@tonic-gate# If the user on the client side is not root then this won't work on 1460Sstevel@tonic-gate# Solaris since /usr/bin/ssh is not installed setuid. 1470Sstevel@tonic-gateRhostsRSAAuthentication no 1480Sstevel@tonic-gate 1490Sstevel@tonic-gate# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. 1500Sstevel@tonic-gate#IgnoreUserKnownHosts yes 1510Sstevel@tonic-gate 1520Sstevel@tonic-gate# Is pure RSA authentication allowed. 1530Sstevel@tonic-gate# Default is yes 1540Sstevel@tonic-gateRSAAuthentication yes 155