summaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2020-10-18 12:07:21 +0100
commita0c9f82b05d33f3e2cf8e5442cee47c09d1a1dd8 (patch)
tree1d383167149b22907153635b676d52f824681d66 /sshd_config
parente8453621b2a26f8d6afec405ff60201749b01e5e (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-10-18 Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config18
1 files changed, 12 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config
index 2c48105f8..459c1b230 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
10# possible, but leave them commented. Uncommented options override the 10# possible, but leave them commented. Uncommented options override the
11# default value. 11# default value.
12 12
13Include /etc/ssh/sshd_config.d/*.conf
14
13#Port 22 15#Port 22
14#AddressFamily any 16#AddressFamily any
15#ListenAddress 0.0.0.0 17#ListenAddress 0.0.0.0
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
57#PasswordAuthentication yes 59#PasswordAuthentication yes
58#PermitEmptyPasswords no 60#PermitEmptyPasswords no
59 61
60# Change to no to disable s/key passwords 62# Change to yes to enable challenge-response passwords (beware issues with
61#ChallengeResponseAuthentication yes 63# some PAM modules and threads)
64ChallengeResponseAuthentication no
62 65
63# Kerberos options 66# Kerberos options
64#KerberosAuthentication no 67#KerberosAuthentication no
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys
81# If you just want the PAM account and session checks to run without 84# If you just want the PAM account and session checks to run without
82# PAM authentication, then enable this but set PasswordAuthentication 85# PAM authentication, then enable this but set PasswordAuthentication
83# and ChallengeResponseAuthentication to 'no'. 86# and ChallengeResponseAuthentication to 'no'.
84#UsePAM no 87UsePAM yes
85 88
86#AllowAgentForwarding yes 89#AllowAgentForwarding yes
87#AllowTcpForwarding yes 90#AllowTcpForwarding yes
88#GatewayPorts no 91#GatewayPorts no
89#X11Forwarding no 92X11Forwarding yes
90#X11DisplayOffset 10 93#X11DisplayOffset 10
91#X11UseLocalhost yes 94#X11UseLocalhost yes
92#PermitTTY yes 95#PermitTTY yes
93#PrintMotd yes 96PrintMotd no
94#PrintLastLog yes 97#PrintLastLog yes
95#TCPKeepAlive yes 98#TCPKeepAlive yes
96#PermitUserEnvironment no 99#PermitUserEnvironment no
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
107# no default banner path 110# no default banner path
108#Banner none 111#Banner none
109 112
113# Allow client to pass locale environment variables
114AcceptEnv LANG LC_*
115
110# override default of no subsystems 116# override default of no subsystems
111Subsystem sftp /usr/libexec/sftp-server 117Subsystem sftp /usr/lib/openssh/sftp-server
112 118
113# Example of overriding settings on a per-user basis 119# Example of overriding settings on a per-user basis
114#Match User anoncvs 120#Match User anoncvs
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 13:41:15 +0000