diff options
Diffstat (limited to 'factory-default')
-rw-r--r-- | factory-default/net-misc/openssh/etc/ssh/ssh_config | 25 | ||||
-rw-r--r-- | factory-default/net-misc/openssh/etc/ssh/sshd_config | 111 |
2 files changed, 136 insertions, 0 deletions
diff --git a/factory-default/net-misc/openssh/etc/ssh/ssh_config b/factory-default/net-misc/openssh/etc/ssh/ssh_config new file mode 100644 index 00000000..b3715be2 --- /dev/null +++ b/factory-default/net-misc/openssh/etc/ssh/ssh_config @@ -0,0 +1,25 @@ +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * + # Do not forward authentication agent to the remote machine + ForwardAgent no + # Do not forward X11 connections over the secure channel + ForwardX11 no + # Hash host names and addresses when they are added to + # ~/.ssh/known_hosts + HashKnownHosts yes diff --git a/factory-default/net-misc/openssh/etc/ssh/sshd_config b/factory-default/net-misc/openssh/etc/ssh/sshd_config new file mode 100644 index 00000000..a9e0f02b --- /dev/null +++ b/factory-default/net-misc/openssh/etc/ssh/sshd_config @@ -0,0 +1,111 @@ +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# Enforce SSH version 2 only +Protocol 2 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Facility code that is used when logging messages +SyslogFacility AUTH + +# Verbosity level that is used when logging messages +LogLevel INFO + +# Disconnects after this time if the user has not successfully logged in +LoginGraceTime 5s + +# Disable root login +PermitRootLogin no + +# Check file modes and ownership of the user's files and home directory +# before accepting login +StrictModes yes + +# Public key authentication is allowed +PubkeyAuthentication yes +AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys + +# Disable rhosts +HostbasedAuthentication no +IgnoreRhosts yes + +# Enable Pluggable Authentication Module interface +UsePAM yes + +# Disable clear text password authentication +PasswordAuthentication no + +# Disable login to accounts with empty password strings +PermitEmptyPasswords no + +# Disable s/key passwords +ChallengeResponseAuthentication no + +# Deny ssh-agent(1) forwarding +AllowAgentForwarding no + +# Deny TCP forwarding +AllowTcpForwarding no + +# Deny remote hosts to connect to ports forwarded for the client +GatewayPorts no + +# Disable X11 forwarding +X11Forwarding no + +# login(1) is never used for remote command execution +UseLogin no + +# Separates privileges by creating an unprivileged child process to deal +# with incoming network traffic +UsePrivilegeSeparation sandbox + +# Do not process ~/.ssh/environment and environment= options in +# ~/.ssh/authorized_keys +PermitUserEnvironment no + +# Send TCP keepalive messages to the other side +TCPKeepAlive yes + +# Send a message through the encrypted channel to request a response +# from the client +ClientAliveInterval 15 +ClientAliveCountMax 3 + +# Do not look up the remote host name and that the resolved host name +# for the remote IP address maps back to the very same IP address +UseDNS no + +# Do not allow tun(4) device forwarding +PermitTunnel no + +# Do not send a banner to the remote user before authentication +Banner none + +# Do not print /etc/motd when a user logs in interactively +PrintMotd no + +# Do not print the date and time of the last user login when a user logs +# in interactively +PrintLastLog no + +Subsystem sftp sftp-internal -f user -l verbose + +# Allow members of group wheel to log in +AllowGroups wheel + +Match User root + # Do not allow password authentication + PasswordAuthentication no + +Match Group wheel + # Allow TCP forwarding + AllowTcpForwarding yes |