diff options
Diffstat (limited to 'tools/conf/etc/ssh')
-rw-r--r-- | tools/conf/etc/ssh/sshd_config | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config index 6fd955a..495d183 100644 --- a/tools/conf/etc/ssh/sshd_config +++ b/tools/conf/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,12 +16,7 @@ AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: - -# The default requires explicit activation of protocol 1 -Protocol 2 - #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key @@ -29,8 +24,8 @@ Protocol 2 #RekeyLimit default none # Logging -#SyslogFacility AUTH -#LogLevel INFO +SyslogFacility AUTH +LogLevel INFO # Authentication: @@ -40,10 +35,11 @@ PermitRootLogin no #StrictModes yes MaxAuthTries 3 #MaxSessions 10 -MaxSessions 3 PubkeyAuthentication yes +AllowGroups admin users gitolite sshproxy + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys @@ -90,7 +86,6 @@ ChallengeResponseAuthentication no # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -#UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -102,8 +97,6 @@ ChallengeResponseAuthentication no #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -116,11 +109,25 @@ ChallengeResponseAuthentication no #VersionAddendum none # no default banner path -Banner /etc/issue +#Banner none # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server +Match Group gitolite + AllowAgentForwarding no + AllowTcpForwarding no + +Match Group sshproxy + AllowAgentForwarding no + PermitTTY no + PermitOpen 10.0.0.4:443 + PermitOpen 10.0.0.4:9418 + PermitOpen tribu.semdestino.org:443 + PermitOpen tribu.semdestino.org:9418 + ForceCommand echo 'This account can only be used for web proxy' + + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no |