From 75a463a81c0c8d4ac1d48a6f70fc595c1e8c5fbc Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Thu, 8 Feb 2018 15:02:56 +0100 Subject: [PATCH] Update sshd_config with current alpine version Signed-off-by: Knut Ahlers --- sshd_config | 128 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 101 insertions(+), 27 deletions(-) diff --git a/sshd_config b/sshd_config index 6a038ff..176a4ba 100644 --- a/sshd_config +++ b/sshd_config @@ -1,54 +1,128 @@ -# What ports, IPs and protocols we listen for +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: +#AddressFamily any #ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 +#ListenAddress :: + HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key +# Ciphers and keying +#RekeyLimit default none + # Logging -SyslogFacility AUTH -LogLevel INFO +#SyslogFacility AUTH +#LogLevel INFO # Authentication: -LoginGraceTime 120 + +LoginGraceTime 2m PermitRootLogin no StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# similar for protocol version 2 +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes -# To enable empty passwords, change to yes (NOT RECOMMENDED) +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication yes PermitEmptyPasswords no -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication yes +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +AllowAgentForwarding no +AllowTcpForwarding no +#GatewayPorts no X11Forwarding no -X11DisplayOffset 10 +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes PrintMotd no -TCPKeepAlive yes +#PrintLastLog yes +#TCPKeepAlive yes #UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none -#MaxStartups 10:30:60 -#Banner /etc/issue.net +# no default banner path +#Banner none -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server -Subsystem sftp /usr/lib/ssh/sftp-server +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# disable hpn performance boosts +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server