xref: /illumos-gate/usr/src/cmd/ssh/etc/sshd_config (revision bbf21555)
17c478bd9Sstevel@tonic-gate#
24a2e944dSJan Pechanec# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
37c478bd9Sstevel@tonic-gate#
4*bbf21555SRichard Lowe# Configuration file for sshd(8) (see also sshd_config(5))
54a2e944dSJan Pechanec#
67c478bd9Sstevel@tonic-gate
77c478bd9Sstevel@tonic-gate# Protocol versions supported
87c478bd9Sstevel@tonic-gate#
97c478bd9Sstevel@tonic-gate# The sshd shipped in this release of Solaris has support for major versions
107c478bd9Sstevel@tonic-gate# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
117c478bd9Sstevel@tonic-gate# that sites run only v2 if possible. Support for v1 is provided to help sites
127c478bd9Sstevel@tonic-gate# with existing ssh v1 clients/servers to transition.
137c478bd9Sstevel@tonic-gate# Support for v1 may not be available in a future release of Solaris.
147c478bd9Sstevel@tonic-gate#
157c478bd9Sstevel@tonic-gate# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
167c478bd9Sstevel@tonic-gate# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
177c478bd9Sstevel@tonic-gate# do not already exist, RSA1 keys for protocol v1 are not automatically created.
187c478bd9Sstevel@tonic-gate
197c478bd9Sstevel@tonic-gate# Uncomment ONLY ONE of the following Protocol statements.
207c478bd9Sstevel@tonic-gate
217c478bd9Sstevel@tonic-gate# Only v2 (recommended)
227c478bd9Sstevel@tonic-gateProtocol 2
237c478bd9Sstevel@tonic-gate
247c478bd9Sstevel@tonic-gate# Both v1 and v2 (not recommended)
257c478bd9Sstevel@tonic-gate#Protocol 2,1
267c478bd9Sstevel@tonic-gate
277c478bd9Sstevel@tonic-gate# Only v1 (not recommended)
287c478bd9Sstevel@tonic-gate#Protocol 1
297c478bd9Sstevel@tonic-gate
307c478bd9Sstevel@tonic-gate# Listen port (the IANA registered port number for ssh is 22)
317c478bd9Sstevel@tonic-gatePort 22
327c478bd9Sstevel@tonic-gate
337c478bd9Sstevel@tonic-gate# The default listen address is all interfaces, this may need to be changed
347c478bd9Sstevel@tonic-gate# if you wish to restrict the interfaces sshd listens on for a multi homed host.
357c478bd9Sstevel@tonic-gate# Multiple ListenAddress entries are allowed.
367c478bd9Sstevel@tonic-gate
377c478bd9Sstevel@tonic-gate# IPv4 only
387c478bd9Sstevel@tonic-gate#ListenAddress 0.0.0.0
397c478bd9Sstevel@tonic-gate# IPv4 & IPv6
407c478bd9Sstevel@tonic-gateListenAddress ::
417c478bd9Sstevel@tonic-gate
4284b9c0d2SHuie-Ying Lee# If port forwarding is enabled (default), specify if the server can bind to
4384b9c0d2SHuie-Ying Lee# INADDR_ANY.
447c478bd9Sstevel@tonic-gate# This allows the local port forwarding to work when connections are received
457c478bd9Sstevel@tonic-gate# from any remote host.
467c478bd9Sstevel@tonic-gateGatewayPorts no
477c478bd9Sstevel@tonic-gate
487c478bd9Sstevel@tonic-gate# X11 tunneling options
497c478bd9Sstevel@tonic-gateX11Forwarding yes
507c478bd9Sstevel@tonic-gateX11DisplayOffset 10
517c478bd9Sstevel@tonic-gateX11UseLocalhost yes
527c478bd9Sstevel@tonic-gate
537c478bd9Sstevel@tonic-gate# The maximum number of concurrent unauthenticated connections to sshd.
547c478bd9Sstevel@tonic-gate# start:rate:full see sshd(1) for more information.
557c478bd9Sstevel@tonic-gate# The default is 10 unauthenticated clients.
567c478bd9Sstevel@tonic-gate#MaxStartups 10:30:60
577c478bd9Sstevel@tonic-gate
587c478bd9Sstevel@tonic-gate# Banner to be printed before authentication starts.
597c478bd9Sstevel@tonic-gate#Banner /etc/issue
607c478bd9Sstevel@tonic-gate
617c478bd9Sstevel@tonic-gate# Should sshd print the /etc/motd file and check for mail.
627c478bd9Sstevel@tonic-gate# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
637c478bd9Sstevel@tonic-gatePrintMotd no
647c478bd9Sstevel@tonic-gate
657c478bd9Sstevel@tonic-gate# KeepAlive specifies whether keep alive messages are sent to the client.
667c478bd9Sstevel@tonic-gate# See sshd(1) for detailed description of what this means.
677c478bd9Sstevel@tonic-gate# Note that the client may also be sending keep alive messages to the server.
687c478bd9Sstevel@tonic-gateKeepAlive yes
697c478bd9Sstevel@tonic-gate
707c478bd9Sstevel@tonic-gate# Syslog facility and level
717c478bd9Sstevel@tonic-gateSyslogFacility auth
727c478bd9Sstevel@tonic-gateLogLevel info
737c478bd9Sstevel@tonic-gate
747c478bd9Sstevel@tonic-gate#
757c478bd9Sstevel@tonic-gate# Authentication configuration
767c478bd9Sstevel@tonic-gate#
777c478bd9Sstevel@tonic-gate
787c478bd9Sstevel@tonic-gate# Host private key files
797c478bd9Sstevel@tonic-gate# Must be on a local disk and readable only by the root user (root:sys 600).
807c478bd9Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_rsa_key
817c478bd9Sstevel@tonic-gateHostKey /etc/ssh/ssh_host_dsa_key
827c478bd9Sstevel@tonic-gate
837c478bd9Sstevel@tonic-gate# Length of the server key
847c478bd9Sstevel@tonic-gate# Default 768, Minimum 512
857c478bd9Sstevel@tonic-gateServerKeyBits 768
867c478bd9Sstevel@tonic-gate
877c478bd9Sstevel@tonic-gate# sshd regenerates the key every KeyRegenerationInterval seconds.
887c478bd9Sstevel@tonic-gate# The key is never stored anywhere except the memory of sshd.
897c478bd9Sstevel@tonic-gate# The default is 1 hour (3600 seconds).
907c478bd9Sstevel@tonic-gateKeyRegenerationInterval 3600
917c478bd9Sstevel@tonic-gate
927c478bd9Sstevel@tonic-gate# Ensure secure permissions on users .ssh directory.
937c478bd9Sstevel@tonic-gateStrictModes yes
947c478bd9Sstevel@tonic-gate
957c478bd9Sstevel@tonic-gate# Length of time in seconds before a client that hasn't completed
967c478bd9Sstevel@tonic-gate# authentication is disconnected.
977c478bd9Sstevel@tonic-gate# Default is 600 seconds. 0 means no time limit.
987c478bd9Sstevel@tonic-gateLoginGraceTime 600
997c478bd9Sstevel@tonic-gate
1007c478bd9Sstevel@tonic-gate# Maximum number of retries for authentication
1017c478bd9Sstevel@tonic-gate# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
1027c478bd9Sstevel@tonic-gateMaxAuthTries	6
1037c478bd9Sstevel@tonic-gateMaxAuthTriesLog	3
1047c478bd9Sstevel@tonic-gate
1057c478bd9Sstevel@tonic-gate# Are logins to accounts with empty passwords allowed.
1067c478bd9Sstevel@tonic-gate# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
1077c478bd9Sstevel@tonic-gate# to pam_authenticate(3PAM).
1087c478bd9Sstevel@tonic-gatePermitEmptyPasswords no
1097c478bd9Sstevel@tonic-gate
1107c478bd9Sstevel@tonic-gate# To disable tunneled clear text passwords, change PasswordAuthentication to no.
1117c478bd9Sstevel@tonic-gatePasswordAuthentication yes
1127c478bd9Sstevel@tonic-gate
1137c478bd9Sstevel@tonic-gate# Are root logins permitted using sshd.
1147c478bd9Sstevel@tonic-gate# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
1157c478bd9Sstevel@tonic-gate# maybe denied access by a PAM module regardless of this setting.
1167c478bd9Sstevel@tonic-gate# Valid options are yes, without-password, no.
1177c478bd9Sstevel@tonic-gatePermitRootLogin no
1187c478bd9Sstevel@tonic-gate
1197c478bd9Sstevel@tonic-gate# sftp subsystem
1206f8d59d8SJan PechanecSubsystem	sftp	internal-sftp
1217c478bd9Sstevel@tonic-gate
1227c478bd9Sstevel@tonic-gate
1237c478bd9Sstevel@tonic-gate# SSH protocol v1 specific options
1247c478bd9Sstevel@tonic-gate#
1257c478bd9Sstevel@tonic-gate# The following options only apply to the v1 protocol and provide
1267c478bd9Sstevel@tonic-gate# some form of backwards compatibility with the very weak security
1277c478bd9Sstevel@tonic-gate# of /usr/bin/rsh.  Their use is not recommended and the functionality
1287c478bd9Sstevel@tonic-gate# will be removed when support for v1 protocol is removed.
1297c478bd9Sstevel@tonic-gate
1307c478bd9Sstevel@tonic-gate# Should sshd use .rhosts and .shosts for password less authentication.
1317c478bd9Sstevel@tonic-gateIgnoreRhosts yes
1327c478bd9Sstevel@tonic-gateRhostsAuthentication no
1337c478bd9Sstevel@tonic-gate
1347c478bd9Sstevel@tonic-gate# Rhosts RSA Authentication
1357c478bd9Sstevel@tonic-gate# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
1367c478bd9Sstevel@tonic-gate# If the user on the client side is not root then this won't work on
1377c478bd9Sstevel@tonic-gate# Solaris since /usr/bin/ssh is not installed setuid.
1387c478bd9Sstevel@tonic-gateRhostsRSAAuthentication no
1397c478bd9Sstevel@tonic-gate
1407c478bd9Sstevel@tonic-gate# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
1417c478bd9Sstevel@tonic-gate#IgnoreUserKnownHosts yes
1427c478bd9Sstevel@tonic-gate
1437c478bd9Sstevel@tonic-gate# Is pure RSA authentication allowed.
1447c478bd9Sstevel@tonic-gate# Default is yes
1457c478bd9Sstevel@tonic-gateRSAAuthentication yes
146