about summary refs log tree commit diff stats
path: root/tools/conf/etc/ssh/sshd_config
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2020-04-20 01:01:22 +0100
committerSilvino Silva <silvino@bk.ru>2020-04-20 01:01:22 +0100
commitfb54fa28e88afb7f9dcd7027b7c820ae8b43f802 (patch)
tree4987031dc2bc48a56484d611598b46f696a8889b /tools/conf/etc/ssh/sshd_config
parentfd186246f96768b8398f0ffe32ef136cb895fa21 (diff)
parent4216ad7e3cc4d4733034a50c122e4efa4ae08108 (diff)
downloaddoc-fb54fa28e88afb7f9dcd7027b7c820ae8b43f802.tar.gz
Merge branch 'master' into release
Diffstat (limited to 'tools/conf/etc/ssh/sshd_config')
-rw-r--r--tools/conf/etc/ssh/sshd_config33
1 files changed, 20 insertions, 13 deletions
diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config
index 6fd955a..495d183 100644
--- a/tools/conf/etc/ssh/sshd_config
+++ b/tools/conf/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -16,12 +16,7 @@ AddressFamily inet
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-
-# The default requires explicit activation of protocol 1
-Protocol 2
-
 #HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
@@ -29,8 +24,8 @@ Protocol 2
 #RekeyLimit default none
 
 # Logging
-#SyslogFacility AUTH
-#LogLevel INFO
+SyslogFacility AUTH
+LogLevel INFO
 
 # Authentication:
 
@@ -40,10 +35,11 @@ PermitRootLogin no
 #StrictModes yes
 MaxAuthTries 3
 #MaxSessions 10
-MaxSessions 3
 
 PubkeyAuthentication yes
 
+AllowGroups admin users gitolite sshproxy
+
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
@@ -90,7 +86,6 @@ ChallengeResponseAuthentication no
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
-#UsePAM no
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
@@ -102,8 +97,6 @@ ChallengeResponseAuthentication no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
@@ -116,11 +109,25 @@ ChallengeResponseAuthentication no
 #VersionAddendum none
 
 # no default banner path
-Banner /etc/issue
+#Banner none
 
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/ssh/sftp-server
 
+Match Group gitolite
+    AllowAgentForwarding no
+    AllowTcpForwarding no
+
+Match Group sshproxy
+    AllowAgentForwarding no
+    PermitTTY no
+    PermitOpen 10.0.0.4:443
+    PermitOpen 10.0.0.4:9418
+    PermitOpen tribu.semdestino.org:443
+    PermitOpen tribu.semdestino.org:9418
+    ForceCommand echo 'This account can only be used for web proxy'
+
+
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no