1 files changed, 152 insertions, 0 deletions
diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000..a67aa8a
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,152 @@
+#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+# The default requires explicit activation of protocol 1
+#Protocol 2
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
+# to maintain compatibility with RFC4419, but should be set higher.
+# Upstream default is identical to setting this to 2048.
+#KexDHMin 1024
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+# Ciphers and keying
+#RekeyLimit default none
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+# Authentication:
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile      .ssh/authorized_keys
+#AuthorizedPrincipalsFile none
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
+# in this release. The use of 'gssapi' is deprecated due to the presence of 
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+#GSSAPIEnableMITMAttack no
+ 
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox          # Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+# no default banner path
+#Banner none
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/ssh/sftp-server
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server

diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..a67aa8a --- /dev/null +++ b/sshd_config
@@ -0,0 +1,152 @@
	1	# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
	2
	3	# This is the sshd server system-wide configuration file. See
	4	# sshd_config(5) for more information.
	5
	6	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	7
	8	# The strategy used for options in the default sshd_config shipped with
	9	# OpenSSH is to specify options with their default value where
	10	# possible, but leave them commented. Uncommented options override the
	11	# default value.
	12
	13	#Port 22
	14	#AddressFamily any
	15	#ListenAddress 0.0.0.0
	16	#ListenAddress ::
	17
	18	# The default requires explicit activation of protocol 1
	19	#Protocol 2
	20
	21	# HostKey for protocol version 1
	22	#HostKey /etc/ssh/ssh_host_key
	23	# HostKeys for protocol version 2
	24	#HostKey /etc/ssh/ssh_host_rsa_key
	25	#HostKey /etc/ssh/ssh_host_dsa_key
	26	#HostKey /etc/ssh/ssh_host_ecdsa_key
	27	#HostKey /etc/ssh/ssh_host_ed25519_key
	28
	29	# Minimum accepted size of the DH parameter p. By default this is set to 1024
	30	# to maintain compatibility with RFC4419, but should be set higher.
	31	# Upstream default is identical to setting this to 2048.
	32	#KexDHMin 1024
	33
	34	# Lifetime and size of ephemeral version 1 server key
	35	#KeyRegenerationInterval 1h
	36	#ServerKeyBits 1024
	37
	38	# Ciphers and keying
	39	#RekeyLimit default none
	40
	41	# Logging
	42	# obsoletes QuietMode and FascistLogging
	43	#SyslogFacility AUTH
	44	#LogLevel INFO
	45
	46	# Authentication:
	47
	48	#LoginGraceTime 2m
	49	#PermitRootLogin yes
	50	#StrictModes yes
	51	#MaxAuthTries 6
	52	#MaxSessions 10
	53
	54	#RSAAuthentication yes
	55	#PubkeyAuthentication yes
	56
	57	# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
	58	# but this is overridden so installations will only check .ssh/authorized_keys
	59	AuthorizedKeysFile .ssh/authorized_keys
	60
	61	#AuthorizedPrincipalsFile none
	62
	63	#AuthorizedKeysCommand none
	64	#AuthorizedKeysCommandUser nobody
	65
	66	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	67	#RhostsRSAAuthentication no
	68	# similar for protocol version 2
	69	#HostbasedAuthentication no
	70	# Change to yes if you don't trust ~/.ssh/known_hosts for
	71	# RhostsRSAAuthentication and HostbasedAuthentication
	72	#IgnoreUserKnownHosts no
	73	# Don't read the user's ~/.rhosts and ~/.shosts files
	74	#IgnoreRhosts yes
	75
	76	# To disable tunneled clear text passwords, change to no here!
	77	PasswordAuthentication no
	78	#PermitEmptyPasswords no
	79
	80	# Change to no to disable s/key passwords
	81	#ChallengeResponseAuthentication yes
	82
	83	# Kerberos options
	84	#KerberosAuthentication no
	85	#KerberosOrLocalPasswd yes
	86	#KerberosTicketCleanup yes
	87	#KerberosGetAFSToken no
	88
	89	# GSSAPI options
	90	#GSSAPIAuthentication no
	91	#GSSAPICleanupCredentials yes
	92	#GSSAPIStrictAcceptorCheck yes
	93	#GSSAPIKeyExchange no
	94
	95	# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
	96	# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
	97	# in this release. The use of 'gssapi' is deprecated due to the presence of
	98	# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
	99	#GSSAPIEnableMITMAttack no
	100
	101
	102	# Set this to 'yes' to enable PAM authentication, account processing,
	103	# and session processing. If this is enabled, PAM authentication will
	104	# be allowed through the ChallengeResponseAuthentication and
	105	# PasswordAuthentication. Depending on your PAM configuration,
	106	# PAM authentication via ChallengeResponseAuthentication may bypass
	107	# the setting of "PermitRootLogin without-password".
	108	# If you just want the PAM account and session checks to run without
	109	# PAM authentication, then enable this but set PasswordAuthentication
	110	# and ChallengeResponseAuthentication to 'no'.
	111	UsePAM yes
	112
	113	#AllowAgentForwarding yes
	114	#AllowTcpForwarding yes
	115	#GatewayPorts no
	116	X11Forwarding yes
	117	#X11DisplayOffset 10
	118	#X11UseLocalhost yes
	119	#PermitTTY yes
	120	#PrintMotd yes
	121	#PrintLastLog yes
	122	#TCPKeepAlive yes
	123	#UseLogin no
	124	UsePrivilegeSeparation sandbox # Default for new installations.
	125	#PermitUserEnvironment no
	126	#Compression delayed
	127	#ClientAliveInterval 0
	128	#ClientAliveCountMax 3
	129	#UseDNS yes
	130	#PidFile /run/sshd.pid
	131	#MaxStartups 10:30:100
	132	#PermitTunnel no
	133	#ChrootDirectory none
	134	#VersionAddendum none
	135
	136	# no default banner path
	137	#Banner none
	138
	139	# override default of no subsystems
	140	Subsystem sftp /usr/lib/ssh/sftp-server
	141
	142	# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
	143	AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
	144	AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
	145	AcceptEnv LC_IDENTIFICATION LC_ALL
	146
	147	# Example of overriding settings on a per-user basis
	148	#Match User anoncvs
	149	# X11Forwarding no
	150	# AllowTcpForwarding no
	151	# PermitTTY no
	152	# ForceCommand cvs server