1# 2# Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3# Use is subject to license terms. 4# 5# ident "%Z%%M% %I% %E% SMI" 6# 7# Configuration file for sshd(1m) 8 9# Protocol versions supported 10# 11# The sshd shipped in this release of Solaris has support for major versions 12# 1 and 2. It is recommended due to security weaknesses in the v1 protocol 13# that sites run only v2 if possible. Support for v1 is provided to help sites 14# with existing ssh v1 clients/servers to transition. 15# Support for v1 may not be available in a future release of Solaris. 16# 17# To enable support for v1 an RSA1 key must be created with ssh-keygen(1). 18# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they 19# do not already exist, RSA1 keys for protocol v1 are not automatically created. 20 21# Uncomment ONLY ONE of the following Protocol statements. 22 23# Only v2 (recommended) 24Protocol 2 25 26# Both v1 and v2 (not recommended) 27#Protocol 2,1 28 29# Only v1 (not recommended) 30#Protocol 1 31 32# Listen port (the IANA registered port number for ssh is 22) 33Port 22 34 35# The default listen address is all interfaces, this may need to be changed 36# if you wish to restrict the interfaces sshd listens on for a multi homed host. 37# Multiple ListenAddress entries are allowed. 38 39# IPv4 only 40#ListenAddress 0.0.0.0 41# IPv4 & IPv6 42ListenAddress :: 43 44# Port forwarding 45AllowTcpForwarding no 46 47# If port forwarding is enabled, specify if the server can bind to INADDR_ANY. 48# This allows the local port forwarding to work when connections are received 49# from any remote host. 50GatewayPorts no 51 52# X11 tunneling options 53X11Forwarding yes 54X11DisplayOffset 10 55X11UseLocalhost yes 56 57# The maximum number of concurrent unauthenticated connections to sshd. 58# start:rate:full see sshd(1) for more information. 59# The default is 10 unauthenticated clients. 60#MaxStartups 10:30:60 61 62# Banner to be printed before authentication starts. 63#Banner /etc/issue 64 65# Should sshd print the /etc/motd file and check for mail. 66# On Solaris it is assumed that the login shell will do these (eg /etc/profile). 67PrintMotd no 68 69# KeepAlive specifies whether keep alive messages are sent to the client. 70# See sshd(1) for detailed description of what this means. 71# Note that the client may also be sending keep alive messages to the server. 72KeepAlive yes 73 74# Syslog facility and level 75SyslogFacility auth 76LogLevel info 77 78# 79# Authentication configuration 80# 81 82# Host private key files 83# Must be on a local disk and readable only by the root user (root:sys 600). 84HostKey /etc/ssh/ssh_host_rsa_key 85HostKey /etc/ssh/ssh_host_dsa_key 86 87# Default Encryption algorithms and Message Authentication codes 88#Ciphers aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc 89#MACS hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 90 91# Length of the server key 92# Default 768, Minimum 512 93ServerKeyBits 768 94 95# sshd regenerates the key every KeyRegenerationInterval seconds. 96# The key is never stored anywhere except the memory of sshd. 97# The default is 1 hour (3600 seconds). 98KeyRegenerationInterval 3600 99 100# Ensure secure permissions on users .ssh directory. 101StrictModes yes 102 103# Length of time in seconds before a client that hasn't completed 104# authentication is disconnected. 105# Default is 600 seconds. 0 means no time limit. 106LoginGraceTime 600 107 108# Maximum number of retries for authentication 109# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2 110MaxAuthTries 6 111MaxAuthTriesLog 3 112 113# Are logins to accounts with empty passwords allowed. 114# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK 115# to pam_authenticate(3PAM). 116PermitEmptyPasswords no 117 118# To disable tunneled clear text passwords, change PasswordAuthentication to no. 119PasswordAuthentication yes 120 121# Use PAM via keyboard interactive method for authentication. 122# Depending on the setup of pam.conf(4) this may allow tunneled clear text 123# passwords even when PasswordAuthentication is set to no. This is dependent 124# on what the individual modules request and is out of the control of sshd 125# or the protocol. 126PAMAuthenticationViaKBDInt yes 127 128# Are root logins permitted using sshd. 129# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user 130# maybe denied access by a PAM module regardless of this setting. 131# Valid options are yes, without-password, no. 132PermitRootLogin no 133 134# sftp subsystem 135Subsystem sftp /usr/lib/ssh/sftp-server 136 137 138# SSH protocol v1 specific options 139# 140# The following options only apply to the v1 protocol and provide 141# some form of backwards compatibility with the very weak security 142# of /usr/bin/rsh. Their use is not recommended and the functionality 143# will be removed when support for v1 protocol is removed. 144 145# Should sshd use .rhosts and .shosts for password less authentication. 146IgnoreRhosts yes 147RhostsAuthentication no 148 149# Rhosts RSA Authentication 150# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts. 151# If the user on the client side is not root then this won't work on 152# Solaris since /usr/bin/ssh is not installed setuid. 153RhostsRSAAuthentication no 154 155# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. 156#IgnoreUserKnownHosts yes 157 158# Is pure RSA authentication allowed. 159# Default is yes 160RSAAuthentication yes 161