# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # If you want to change the port on a SELinux system, you have to tell SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER Port 22 Port 1907 AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: Protocol 2 # Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key #KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 #Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc #MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # Ciphers and keying RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTHPRIV LogLevel INFO # Authentication: LoginGraceTime 15s PermitRootLogin yes StrictModes yes MaxAuthTries 3 MaxSessions 10 PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for IgnoreUserKnownHosts yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication no GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". UsePAM yes AllowAgentForwarding no AllowTcpForwarding no GatewayPorts no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost no PermitTTY no PrintMotd yes PrintLastLog yes TCPKeepAlive yes #UsePrivilegeSeparation sandbox # Default for new installations. PermitUserEnvironment no Compression delayed #ClientAliveInterval 300 #ClientAliveCountMax 10 UseDNS no PidFile /var/run/sshd.pid MaxStartups 10:30:60 PermitTunnel no ChrootDirectory none VersionAddendum Fuck_Off! AllowUsers root vampi madalin sonykss smiti sara Banner /etc/issue.net # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO ### Example of overriding settings on a per-user basis Match User root AllowTcpForwarding yes X11Forwarding yes PermitTTY yes Banner none Match User vampi PermitTTY yes Match User madalin PermitTTY yes Match User sonykss PermitTTY yes Match User smiti PermitTTY yes Match user sara PermitTTY yes