sonic-openssh/sshd_config

# This is ssh server systemwide configuration file.

Port 22
#Protocol 2,1
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords 
#SkeyAuthentication no
#KbdInteractiveAuthentication yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

CheckMail no
#UseLogin no

# Uncomment if you want to enable sftp
#Subsystem	sftp	/usr/libexec/sftp-server
#MaxStartups 10:30:60
Initial revision 1999-10-27 07:42:43 +04:00			`# This is ssh server systemwide configuration file.`

			`Port 22`
- OpenBSD CVS updates [channels.c] - fix pr 1196, listen_port and port_to_connect interchanged [scp.c] - after completion, replace the progress bar ETA counter with a final elapsed time; my idea, aaron wrote the patch [ssh_config sshd_config] - show 'Protocol' as an example, ok markus@ [sshd.c] - missing xfree() - Add missing header to bsd-misc.c 2000-04-19 10:26:12 +04:00			`#Protocol 2,1`
Initial revision 1999-10-27 07:42:43 +04:00			`ListenAddress 0.0.0.0`
- Merged OpenBSD IPv6 patch: - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1] [scp.c packet.h packet.c login.c log.c canohost.c channels.c] [hostfile.c sshd_config] ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from fujiwara@rcac.tdi.co.jp) - [ssh.c canohost.c] more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, from itojun@ - [channels.c] listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) - [packet.h] allow auth-kerberos for IPv4 only - [scp.1 sshd.8 servconf.h scp.c] document -4, -6, and 'ssh -L 2022/::1/22' - [ssh.c] 'ssh @host' is illegal (null user name), from karsten@gedankenpolizei.de - [sshconnect.c] better error message - [sshd.c] allow auth-kerberos for IPv4 only - Big IPv6 merge: - Cleanup overrun in sockaddr copying on RHL 6.1 - Replacements for getaddrinfo, getnameinfo, etc based on versions from patch from KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> - Replacement for missing structures on systems that lack IPv6 - record_login needed to know about AF_INET6 addresses - Borrowed more code from OpenBSD: rresvport_af and requisites 2000-01-14 07:45:46 +03:00			`#ListenAddress ::`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`HostKey /etc/ssh_host_key`
Initial revision 1999-10-27 07:42:43 +04:00			`ServerKeyBits 768`
			`LoginGraceTime 600`
			`KeyRegenerationInterval 3600`
			`PermitRootLogin yes`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`#`
			`# Don't read ~/.rhosts and ~/.shosts files`
			`IgnoreRhosts yes`
			`# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication`
			`#IgnoreUserKnownHosts yes`
Initial revision 1999-10-27 07:42:43 +04:00			`StrictModes yes`
- Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSDs 1999-11-12 03:33:04 +03:00			`X11Forwarding no`
Initial revision 1999-10-27 07:42:43 +04:00			`X11DisplayOffset 10`
			`PrintMotd yes`
			`KeepAlive yes`
- Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. 1999-11-13 15:56:35 +03:00
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`# Logging`
Initial revision 1999-10-27 07:42:43 +04:00			`SyslogFacility AUTH`
- Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. 1999-11-13 15:56:35 +03:00			`LogLevel INFO`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`#obsoletes QuietMode and FascistLogging`
Cleanup of default config for new LogLevel option and better readability 1999-11-11 13:07:00 +03:00
- Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. 1999-11-13 15:56:35 +03:00			`RhostsAuthentication no`
- Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSDs 1999-11-12 03:33:04 +03:00			`#`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`# For this to work you will also need host keys in /etc/ssh_known_hosts`
			`RhostsRSAAuthentication no`
- Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSDs 1999-11-12 03:33:04 +03:00			`#`
Initial revision 1999-10-27 07:42:43 +04:00			`RSAAuthentication yes`

			`# To disable tunneled clear text passwords, change to no here!`
			`PasswordAuthentication yes`
			`PermitEmptyPasswords no`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`# Uncomment to disable s/key passwords`
Initial revision 1999-10-27 07:42:43 +04:00			`#SkeyAuthentication no`
- (djm) Big OpenBSD sync: - markus@cvs.openbsd.org 2000/09/30 10:27:44 [log.c] allow loglevel debug - markus@cvs.openbsd.org 2000/10/03 11:59:57 [packet.c] hmac->mac - markus@cvs.openbsd.org 2000/10/03 12:03:03 [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c] move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg - markus@cvs.openbsd.org 2000/10/03 12:16:48 ssh.c do not resolve canonname, i have no idea why this was added oin ossh - markus@cvs.openbsd.org 2000/10/09 15:30:44 ssh-keygen.1 ssh-keygen.c -X now reads private ssh.com DSA keys, too. - markus@cvs.openbsd.org 2000/10/09 15:32:34 auth-options.c clear options on every call. - markus@cvs.openbsd.org 2000/10/09 15:51:00 authfd.c authfd.h interop with ssh-agent2, from <res@shore.net> - markus@cvs.openbsd.org 2000/10/10 14:20:45 compat.c use rexexp for version string matching - provos@cvs.openbsd.org 2000/10/10 22:02:18 [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h] First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company. - markus@cvs.openbsd.org 2000/10/11 13:59:52 [auth-rsa.c auth2.c] clear auth options unless auth sucessfull - markus@cvs.openbsd.org 2000/10/11 14:00:27 [auth-options.h] clear auth options unless auth sucessfull - markus@cvs.openbsd.org 2000/10/11 14:03:27 [scp.1 scp.c] support 'scp -o' with help from mouring@pconline.com - markus@cvs.openbsd.org 2000/10/11 14:11:35 [dh.c] Wall - markus@cvs.openbsd.org 2000/10/11 14:14:40 [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h] [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h] add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me - markus@cvs.openbsd.org 2000/10/11 14:27:24 [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h] [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c] [sshconnect2.c sshd.c] new cipher framework - markus@cvs.openbsd.org 2000/10/11 14:45:21 [cipher.c] remove DES - markus@cvs.openbsd.org 2000/10/12 03:59:20 [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c] enable DES in SSH-1 clients only - markus@cvs.openbsd.org 2000/10/12 08:21:13 [kex.h packet.c] remove unused - markus@cvs.openbsd.org 2000/10/13 12:34:46 [sshd.c] Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se - markus@cvs.openbsd.org 2000/10/13 12:59:15 [cipher.c cipher.h myproposal.h rijndael.c rijndael.h] rijndael/aes support - markus@cvs.openbsd.org 2000/10/13 13:10:54 [sshd.8] more info about -V - markus@cvs.openbsd.org 2000/10/13 13:12:02 [myproposal.h] prefer no compression 2000-10-14 09:23:11 +04:00			`#KbdInteractiveAuthentication yes`
Initial revision 1999-10-27 07:42:43 +04:00
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00			`# To change Kerberos options`
Initial revision 1999-10-27 07:42:43 +04:00			`#KerberosAuthentication no`
			`#KerberosOrLocalPasswd yes`
			`#AFSTokenPassing no`
			`#KerberosTicketCleanup no`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00
Initial revision 1999-10-27 07:42:43 +04:00			`# Kerberos TGT Passing does only work with the AFS kaserver`
			`#KerberosTgtPassing yes`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 15:13:36 +03:00
			`CheckMail no`
- (djm) Periodically rekey arc4random - (djm) Clean up diff against OpenBSD. 2000-08-30 02:40:09 +04:00			`#UseLogin no`
- OpenBSD CVS updates: - deraadt@cvs.openbsd.org 2000/06/17 09:58:46 [channels.c] everyone says "nix it" (remove protocol 2 debugging message) - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] allow extended server banners - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] missing atomicio, typo - jakob@cvs.openbsd.org 2000/06/17 16:52:34 [servconf.c servconf.h session.c sshd.8 sshd_config] add support for ssh v2 subsystems. ok markus@. - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 [readconf.c servconf.c] include = in WHITESPACE; markus ok - markus@cvs.openbsd.org 2000/06/17 19:09:10 [auth2.c] implement bug compatibility with ssh-2.0.13 pubkey, server side - markus@cvs.openbsd.org 2000/06/17 21:00:28 [compat.c] initial support for ssh.com's 2.2.0 - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] typo - markus@cvs.openbsd.org 2000/06/17 22:05:02 [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] split auth-rsa option parsing into auth-options add options support to authorized_keys2 - markus@cvs.openbsd.org 2000/06/17 22:42:54 [session.c] typo 2000-06-18 08:50:44 +04:00
20000905 - (djm) Import OpenBSD CVS changes - markus@cvs.openbsd.org 2000/08/31 15:52:24 [Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c] implement a SFTP server. interops with sftp2, scp2 and the windows client from ssh.com - markus@cvs.openbsd.org 2000/08/31 15:56:03 [README.openssh2] sync - markus@cvs.openbsd.org 2000/08/31 16:05:42 [session.c] Wall - markus@cvs.openbsd.org 2000/08/31 16:09:34 [authfd.c ssh-agent.c] add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions - deraadt@cvs.openbsd.org 2000/09/01 09:25:13 [scp.1 scp.c] cleanup and fix -S support; stevesk@sweden.hp.com - markus@cvs.openbsd.org 2000/09/01 16:29:32 [sftp-server.c] portability fixes - markus@cvs.openbsd.org 2000/09/01 16:32:41 [sftp-server.c] fix cast; mouring@pconline.com - itojun@cvs.openbsd.org 2000/09/03 09:23:28 [ssh-add.1 ssh.1] add missing .El against .Bl. - markus@cvs.openbsd.org 2000/09/04 13:03:41 [session.c] missing close; ok theo - markus@cvs.openbsd.org 2000/09/04 13:07:21 [session.c] fix get_last_login_time order; from andre@van-veen.de - markus@cvs.openbsd.org 2000/09/04 13:10:09 [sftp-server.c] more cast fixes; from mouring@pconline.com - markus@cvs.openbsd.org 2000/09/04 13:06:04 [session.c] set SSH_ORIGINAL_COMMAND; from Leakin@dfw.nostrum.com, bet@rahul.net - (djm) Cleanup after import. Fix sftp-server compilation, Makefile 2000-09-05 06:34:53 +04:00			`# Uncomment if you want to enable sftp`
			`#Subsystem sftp /usr/libexec/sftp-server`
- (djm) OpenBSD CVS changes: - markus@cvs.openbsd.org 2000/07/22 03:14:37 [servconf.c servconf.h sshd.8 sshd.c sshd_config] random early drop; ok theo, niels - deraadt@cvs.openbsd.org 2000/07/26 11:46:51 [ssh.1] typo - deraadt@cvs.openbsd.org 2000/08/01 11:46:11 [sshd.8] many fixes from pepper@mail.reppep.com - provos@cvs.openbsd.org 2000/08/01 13:01:42 [Makefile.in util.c aux.c] rename aux.c to util.c to help with cygwin port - deraadt@cvs.openbsd.org 2000/08/02 00:23:31 [authfd.c] correct sun_len; Alexander@Leidinger.net - provos@cvs.openbsd.org 2000/08/02 10:27:17 [readconf.c sshd.8] disable kerberos authentication by default - provos@cvs.openbsd.org 2000/08/02 11:27:05 [sshd.8 readconf.c auth-krb4.c] disallow kerberos authentication if we can't verify the TGT; from dugsong@ kerberos authentication is on by default only if you have a srvtab. - markus@cvs.openbsd.org 2000/08/04 14:30:07 [auth.c] unused - markus@cvs.openbsd.org 2000/08/04 14:30:35 [sshd_config] MaxStartups - markus@cvs.openbsd.org 2000/08/15 13:20:46 [authfd.c] cleanup; ok niels@ - markus@cvs.openbsd.org 2000/08/17 14:05:10 [session.c] cleanup login(1)-like jobs, no duplicate utmp entries - markus@cvs.openbsd.org 2000/08/17 14:06:34 [session.c sshd.8 sshd.c] sshd -u len, similar to telnetd 2000-08-18 07:59:06 +04:00			`#MaxStartups 10:30:60`