Appendix - Sample sshd_config File
The following is a sample sshd_config file that contains descriptions for many of the options available for OpenSSH. Many of these descriptions were taken directly from the man page for sshd.
Note |
Some of the settings specified below may be machine- or installation-specific, so please read through the descriptions for each option to make sure you understand each of the settings before you implement them. |
# Specifies whether an AFS token may be forwarded to the server. # Default is "yes". #AFSTokenPassing # This keyword can be followed by a list of group name patterns, # separated by spaces. If specified, login is allowed only for # users whose primary group or supplementary group list matches one # of the patterns. '*' and '?' can be used as wildcards in the # patterns. Only group names are valid; a numerical group ID is # not recognized. By default, login is allowed for all groups. AllowGroups * # Specifies whether TCP forwarding is permitted. The default is # "yes". Note that disabling TCP forwarding does not improve # security unless users are also denied shell access, as they can # always install their own forwarders. AllowTcpForwarding yes # This keyword can be followed by a list of user name patterns, # separated by spaces. If specified, login is allowed only for # users names that match one of the patterns. '*' and '?' can be # used as wildcards in the patterns. Only user names are valid; a # numerical user ID is not recognized. By default, login is # allowed for all users. If the pattern takes the form USER@HOST # then USER and HOST are separately checked, restricting logins to # particular users from particular hosts. AllowUsers * # Specifies the file that contains the public keys that can be used # for user authentication. AuthorizedKeysFile may contain tokens # of the form %T which are substituted during connection set-up. # The following tokens are defined: %% is replaced by a literal # '%', %h is replaced by the home directory of the user being # authenticated and %u is replaced by the username of that user. # After expansion, AuthorizedKeysFile is taken to be an absolute # path or one relative to the user's home directory. The default # is ".ssh/authorized_keys". AuthorizedKeysFile %h/.ssh/authorized_keys # In some jurisdictions, sending a warning message before # authentication may be relevant for getting legal protection. The # contents of the specified file are sent to the remote user before # authentication is allowed. This option is only available for # protocol version 2. Banner /etc/issue # Specifies whether challenge response authentication is allowed. # All authentication styles from login.conf(5) are supported. The # default is "yes". ChallengeResponseAuthentication no # Specifies the ciphers allowed for protocol version 2. Multiple # ciphers must be comma-separated. The default is # "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, # aes192-cbc,aes256-cbc" Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # Sets a timeout interval in seconds after which if no data has # been received from the client, sshd will send a message through # the encrypted channel to request a response from the client. The # default is 0, indicating that these messages will not be sent to # the client. This option applies to protocol version 2 only. ClientAliveInterval 0 # Sets the number of client alive messages (see above) which may be # sent without sshd receiving any messages back from the client. If # this threshold is reached while client alive messages are being # sent, sshd will disconnect the client, terminating the session. # It is important to note that the use of client alive messages is # very different from KeepAlive (below). The client alive messages # are sent through the encrypted channel and therefore will not be # spoofable. The TCP keepalive option enabled by KeepAlive is # spoofable. The client alive mechanism is valuable when the client # or server depend on knowing when a connection has become # inactive. # The default value is 3. If ClientAliveInterval (above) is set to # 15, and ClientAliveCountMax is left at the default, unresponsive # ssh clients will be disconnected after approximately 45 seconds. ClientAliveCountMax 3 # This keyword can be followed by a list of group name patterns, # separated by spaces. Login is disallowed for users whose primary # group or supplementary group list matches one of the patterns. # '*' and '?' can be used as wildcards in the patterns. Only group # names are valid; a numerical group ID is not recognized. By # default, login is allowed for all groups. #DenyGroups # This keyword can be followed by a list of user name patterns, # separated by spaces. Login is disallowed for user names that # match one of the patterns. '*' and '?' can be used as wildcards # in the patterns. Only user names are valid; a numerical user ID # is not recognized. By default, login is allowed for all users. # If the pattern takes the form USER@HOST then USER and HOST are # separately checked, restricting logins to particular users from # particular hosts. #DenyUsers # Specifies whether remote hosts are allowed to connect to ports # forwarded for the client. By default, sshd binds remote port # forwardings to the loopback addresss. This prevents other remote # hosts from connecting to forwarded ports. GatewayPorts can be # used to specify that sshd should bind remote port forwardings to # the wildcard address, thus allowing remote hosts to connect to # forwarded ports. The argument must be "yes" or "no". The # default is "no". GatewayPorts no # Specifies whether rhosts or /etc/hosts.equiv authentication # together with successful public key client host authentication is # allowed (hostbased authentication). This option is similar to # RhostsRSAAuthentication and applies to protocol version 2 only. # The default is "no". HostbasedAuthentication no # Specifies a file containing a private host key used by SSH. The # default is /etc/ssh/sshuser_key for protocol version 1, and # /etc/ssh/sshuser_rsa_key and /etc/ssh/sshuser_dsa_key for # protocol version 2. Note that sshd will refuse to use a file if # it is group/world-accessible. It is possible to have multiple # host key files. "rsa1" keys are used for version 1 and "dsa" # or "rsa" are used for version 2 of the SSH protocol. HostKey /etc/ssh/sshuser_rsa_key HostKey /etc/ssh/sshuser_dsa_key # Specifies that .rhosts and .shosts files will not be used in # RhostsAuthentication, RhostsRSAAuthentication or # HostbasedAuthentication. # /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The # default is "yes". IgnoreRhosts yes # Specifies whether sshd should ignore the user's # $HOME/.ssh/known_hosts during RhostsRSAAuthentication or # HostbasedAuthentication. The default is "no". IgnoreUserKnownHosts no # Specifies whether the system should send TCP keepalive messages # to the other side. If they are sent, death of the connection or # crash of one of the machines will be properly noticed. However, # this means that connections will die if the route is down # temporarily, and some people find it annoying. On the other # hand, if keepalives are not sent, sessions may hang indefinitely # on the server, leaving "ghost" users and consuming server # resources. # The default is "yes" (to send keepalives), and the server will # notice if the network goes down or the client host crashes. This # avoids infinitely hanging sessions. # To disable keepalives, the value should be set to "no". KeepAlive yes # Specifies whether Kerberos authentication is allowed. This can # be in the form of a Kerberos ticket, or if PasswordAuthentication # is yes, the password provided by the user will be validated # through the Kerberos KDC. To use this option, the server needs a # Kerberos servtab which allows the verification of the KDC's # identity. Default is "yes". #KerberosAuthentication # If set then if password authentication through Kerberos fails # then the password will be validated via any additional local # mechanism such as /etc/passwd. Default is "yes". #KerberosOrLocalPasswd # Specifies whether a Kerberos TGT may be forwarded to the server. # Default is "no", as this only works when the Kerberos KDC is # actually an AFS kaserver. #KerberosTgtPassing # Specifies whether to automatically destroy the user's ticket # cache file on logout. Default is "yes". #KerberosTicketCleanup # In protocol version 1, the ephemeral server key is automatically # regenerated after this many seconds (if it has been used). The # purpose of regeneration is to prevent decrypting captured # sessions by later breaking into the machine and stealing the # keys. The key is never stored anywhere. If the value is 0, the # key is never regenerated. The default is 3600 (seconds). #KeyRegenerationInterval # Specifies whether PAM challenge response authentication is # allowed. This allows the use of most PAM challenge response # authentication modules, but it will allow password authentication # regardless of whether PasswordAuthentication is disabled. The # default is "no". PAMAuthenticationViaKbdInt no # Specifies the port number that sshd listens on. The default is # 22. Multiple options of this type are permitted. See also # ListenAddress. Port 22 # Specifies the local addresses sshd should listen on. The # following forms may be used: # ListenAddress hostIPv4_addrIPv6_addr # ListenAddress hostIPv4_addr:port # ListenAddress [hostIPv6_addr]:port # If port is not specified, sshd will listen on the address and all # prior Port options specified. The default is to listen on all # local addresses. Multiple ListenAddress options are permitted. # Additionally, any Port options must precede this option for non # port qualified addresses. ListenAddress 0.0.0.0 # The server disconnects after this time if the user has not # successfully logged in. If the value is 0, there is no time # limit. The default is 600 (seconds). LoginGraceTime 60 # Gives the verbosity level that is used when logging messages from # sshd. The possible values are: QUIET, FATAL, ERROR, INFO, # VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. # DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify # higher levels of debugging output. Logging with a DEBUG level # violates the privacy of users and is not recommended. LogLevel INFO # Specifies the available MAC (message authentication code) # algorithms. The MAC algorithm is used in protocol version 2 for # data integrity protection. Multiple algorithms must be comma- # separated. The default is "hmac-md5,hmac-sha1,hmac- # ripemd160,hmac-sha1-96,hmac-md5-96". MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # Specifies the maximum number of concurrent unauthenticated # connections to the sshd daemon. Additional connections will be # dropped until authentication succeeds or the LoginGraceTime # expires for a connection. The default is 10. # Alternatively, random early drop can be enabled by specifying the # three colon separated values "start:rate:full" (e.g., # "10:30:60"). sshd will refuse connection attempts with a # probability of "rate/100" (30%) if there are currently # "start" (10) unauthenticated connections. The probability # increases linearly and all connection attempts are refused if the # number of unauthenticated connections reaches "full" (60). MaxStartups 10 # Specifies whether password authentication is allowed. The # default is "yes". PasswordAuthentication yes # When password authentication is allowed, it specifies whether the # server allows login to accounts with empty password strings. The # default is "no". PermitEmptyPasswords no # Specifies whether root can login using ssh(1). The argument must # be "yes", "without-password", "forced-commands-only" or # "no". The default is "yes". # If this option is set to "without-password" password # authentication is disabled for root. # If this option is set to "forced-commands-only" root login with # public key authentication will be allowed, but only if the # command option has been specified (which may be useful for taking # remote backups even if root login is normally not allowed). All # other authentication methods are disabled for root. # If this option is set to "no" root is not allowed to login. PermitRootLogin forced-commands-only # Specifies the file that contains the process identifier of the # sshd daemon. The default is /var/run/sshd.pid. PidFile /etc/ssh/sshd.pid # Specifies whether sshd should print the date and time when the # user last logged in. The default is "yes". PrintLastLog yes # Specifies whether sshd should print /etc/motd when a user logs in # interactively. (On some systems it is also printed by the shell, # /etc/profile, or equivalent.) The default is "yes". PrintMotd yes # Specifies the protocol versions sshd should support. The # possible values are "1" and "2". Multiple versions must be # comma-separated. The default is "2,1". Protocol 2 # Specifies whether public key authentication is allowed. The # default is "yes". Note that this option applies to protocol # version 2 only. PubkeyAuthentication yes # Specifies whether authentication using rhosts or /etc/hosts.equiv # files is sufficient. Normally, this method should not be # permitted because it is insecure. RhostsRSAAuthentication should # be used instead, because it performs RSA-based host # authentication in addition to normal rhosts or /etc/hosts.equiv # authentication. The default is "no". This option applies to # protocol version 1 only. #RhostsAuthentication # Specifies whether rhosts or /etc/hosts.equiv authentication # together with successful RSA host authentication is allowed. The # default is "no". This option applies to protocol version 1 # only. #RhostsRSAAuthentication # Specifies whether pure RSA authentication is allowed. The # default is "yes". This option applies to protocol version 1 # only. #RSAAuthentication # Defines the number of bits in the ephemeral protocol version 1 # server key. The minimum value is 512, and the default is 768. #ServerKeyBits # Specifies whether sshd should check file modes and ownership of # the user's files and home directory before accepting login. This # is normally desirable because novices sometimes accidentally # leave their directory or files world-writable. The default is # "yes". StrictModes yes # Configures an external subsystem (e.g., file transfer daemon). # Arguments should be a subsystem name and a command to execute # upon subsystem request. The command sftp-server(8) implements # the "sftp" file transfer subsystem. By default no subsystems # are defined. Note that this option applies to protocol version 2 # only.Subsystem sftp /opt/corp/local/openSSH/sbin/sftp-server # Gives the facility code that is used when logging messages from # sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, # LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The # default is AUTH. SyslogFacility AUTH # Specifies whether login(1) is used for interactive login # sessions. The default is "no". Note that login(1) is never # used for remote command execution. Note also, that if this is # enabled, X11Forwarding will be disabled because login(1) does not # know how to handle xauth(1) cookies. UseLogin no # Specifies whether sshd should try to verify the remote host name # and check that the resolved host name for the remote IP address # maps back to the very same IP address. The default is "no". VerifyReverseMapping no # Specifies the first display number available for sshd's X11 # forwarding. This prevents sshd from interfering with real X11 # servers. The default is 10. X11DisplayOffset 10 # Specifies whether X11 forwarding is permitted. The default is # "no". Note that disabling X11 forwarding does not improve # security in any way, as users can always install their own # forwarders. X11 forwarding is automatically disabled if UseLogin # is enabled. X11Forwarding no # Specifies whether sshd should bind the X11 forwarding server to # the loopback address or to the wildcard address. By default, # sshd binds the forwarding server to the loopback address and sets # the hostname part of the DISPLAY environment variable to # "localhost". This prevents remote hosts from connecting to the # fake display. However, some older X11 clients may not function # with this configuration. X11UseLocalhost may be set to "no" to # specify that the forwarding server should be bound to the # wildcard address. The argument must be "yes" or "no". The # default is "yes". X11UseLocalhost yes # Specifies the location of the xauth(1) program. The default is # /usr/bin/X11/xauth. XAuthLocation /usr/bin/X11/xauth