1. # Package generated configuration file
  2. # See the sshd_config(5) manpage for details
  3. # What ports, IPs and protocols we listen for
  4. Port 10017
  5. # Use these options to restrict which interfaces/protocols sshd will bind to
  6. #ListenAddress ::
  7. #ListenAddress 0.0.0.0
  8. Protocol 2
  9. # HostKeys for protocol version 2
  10. HostKey /etc/ssh/ssh_host_rsa_key
  11. HostKey /etc/ssh/ssh_host_dsa_key
  12. HostKey /etc/ssh/ssh_host_ecdsa_key
  13. #Privilege Separation is turned on for security
  14. UsePrivilegeSeparation yes
  15. # Lifetime and size of ephemeral version 1 server key
  16. KeyRegenerationInterval 3600
  17. ServerKeyBits 768
  18. # Logging
  19. SyslogFacility AUTH
  20. LogLevel INFO
  21. # Authentication:
  22. LoginGraceTime 120
  23. PermitRootLogin no
  24. StrictModes yes
  25. RSAAuthentication yes
  26. PubkeyAuthentication yes
  27. #AuthorizedKeysFile %h/.ssh/authorized_keys
  28. # Don't read the user's ~/.rhosts and ~/.shosts files
  29. IgnoreRhosts yes
  30. # For this to work you will also need host keys in /etc/ssh_known_hosts
  31. RhostsRSAAuthentication no
  32. # similar for protocol version 2
  33. HostbasedAuthentication no
  34. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  35. #IgnoreUserKnownHosts yes
  36. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  37. PermitEmptyPasswords no
  38. # Change to yes to enable challenge-response passwords (beware issues with
  39. # some PAM modules and threads)
  40. ChallengeResponseAuthentication no
  41. # Change to no to disable tunnelled clear text passwords
  42. #PasswordAuthentication yes
  43. # Kerberos options
  44. #KerberosAuthentication no
  45. #KerberosGetAFSToken no
  46. #KerberosOrLocalPasswd yes
  47. #KerberosTicketCleanup yes
  48. # GSSAPI options
  49. #GSSAPIAuthentication no
  50. #GSSAPICleanupCredentials yes
  51. X11Forwarding yes
  52. X11DisplayOffset 10
  53. PrintMotd no
  54. PrintLastLog yes
  55. TCPKeepAlive yes
  56. #UseLogin no
  57. #MaxStartups 10:30:60
  58. #Banner /etc/issue.net
  59. # Allow client to pass locale environment variables
  60. AcceptEnv LANG LC_*
  61. ###############
  62. # chroot sftp we need to replace the line "Subsystem sftp /usr/lib/openssh/sftp-server" with "Subsystem sftp internal-sftp"
  63. ###############
  64. #Subsystem sftp /usr/lib/openssh/sftp-server
  65. Subsystem sftp internal-sftp
  66. # Set this to 'yes' to enable PAM authentication, account processing,
  67. # and session processing. If this is enabled, PAM authentication will
  68. # be allowed through the ChallengeResponseAuthentication and
  69. # PasswordAuthentication. Depending on your PAM configuration,
  70. # PAM authentication via ChallengeResponseAuthentication may bypass
  71. # the setting of "PermitRootLogin without-password".
  72. # If you just want the PAM account and session checks to run without
  73. # PAM authentication, then enable this but set PasswordAuthentication
  74. # and ChallengeResponseAuthentication to 'no'.
  75. UsePAM yes
  76. ###############
  77. # chrooted sftp
  78. ###############
  79. Match Group sftponly
  80. ChrootDirectory /var/www
  81. X11Forwarding no
  82. ForceCommand internal-sftp
  83. AllowTcpForwarding no

sshd

Comments powered by Disqus