From 532a1460b7ebe540c81a7d619cde2e0ecfb7b9ab Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Sat, 31 Dec 2016 16:55:11 +0000
Subject: net-misc/openssh: Add default /etc/ssh/ssh{,d}_config

---
 .../net-misc/openssh/etc/ssh/ssh_config            |  25 +++++
 .../net-misc/openssh/etc/ssh/sshd_config           | 111 +++++++++++++++++++++
 2 files changed, 136 insertions(+)
 create mode 100644 factory-default/net-misc/openssh/etc/ssh/ssh_config
 create mode 100644 factory-default/net-misc/openssh/etc/ssh/sshd_config

(limited to 'factory-default')

diff --git a/factory-default/net-misc/openssh/etc/ssh/ssh_config b/factory-default/net-misc/openssh/etc/ssh/ssh_config
new file mode 100644
index 00000000..b3715be2
--- /dev/null
+++ b/factory-default/net-misc/openssh/etc/ssh/ssh_config
@@ -0,0 +1,25 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+  # Do not forward authentication agent to the remote machine
+  ForwardAgent no
+  # Do not forward X11 connections over the secure channel
+  ForwardX11 no
+  # Hash host names and addresses when they are added to
+  # ~/.ssh/known_hosts
+  HashKnownHosts yes
diff --git a/factory-default/net-misc/openssh/etc/ssh/sshd_config b/factory-default/net-misc/openssh/etc/ssh/sshd_config
new file mode 100644
index 00000000..a9e0f02b
--- /dev/null
+++ b/factory-default/net-misc/openssh/etc/ssh/sshd_config
@@ -0,0 +1,111 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Enforce SSH version 2 only
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Facility code that is used when logging messages
+SyslogFacility AUTH
+
+# Verbosity level that is used when logging messages
+LogLevel INFO
+
+# Disconnects after this time if the user has not successfully logged in
+LoginGraceTime 5s
+
+# Disable root login
+PermitRootLogin no
+
+# Check file modes and ownership of the user's files and home directory
+# before accepting login
+StrictModes yes
+
+# Public key authentication is allowed
+PubkeyAuthentication yes
+AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys
+
+# Disable rhosts
+HostbasedAuthentication no
+IgnoreRhosts yes
+
+# Enable Pluggable Authentication Module interface
+UsePAM yes
+
+# Disable clear text password authentication
+PasswordAuthentication no
+
+# Disable login to accounts with empty password strings
+PermitEmptyPasswords no
+
+# Disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Deny ssh-agent(1) forwarding
+AllowAgentForwarding no
+
+# Deny TCP forwarding
+AllowTcpForwarding no
+
+# Deny remote hosts to connect to ports forwarded for the client
+GatewayPorts no
+
+# Disable X11 forwarding
+X11Forwarding no
+
+# login(1) is never used for remote command execution
+UseLogin no
+
+# Separates privileges by creating an unprivileged child process to deal
+# with incoming network traffic
+UsePrivilegeSeparation sandbox
+
+# Do not process ~/.ssh/environment and environment= options in
+# ~/.ssh/authorized_keys
+PermitUserEnvironment no
+
+# Send TCP keepalive messages to the other side
+TCPKeepAlive yes
+
+# Send a message through the encrypted channel to request a response
+# from the client
+ClientAliveInterval 15
+ClientAliveCountMax 3
+
+# Do not look up the remote host name and that the resolved host name
+# for the remote IP address maps back to the very same IP address
+UseDNS no
+
+# Do not allow tun(4) device forwarding
+PermitTunnel no
+
+# Do not send a banner to the remote user before authentication
+Banner none
+
+# Do not print /etc/motd when a user logs in interactively
+PrintMotd no
+
+# Do not print the date and time of the last user login when a user logs
+# in interactively
+PrintLastLog no
+
+Subsystem sftp sftp-internal -f user -l verbose
+
+# Allow members of group wheel to log in
+AllowGroups wheel
+
+Match User root
+  # Do not allow password authentication
+  PasswordAuthentication no
+
+Match Group wheel
+  # Allow TCP forwarding
+  AllowTcpForwarding yes
-- 
cgit v1.2.3