diff options
-rw-r--r-- | templates/sshd_config/Debian_normal.erb | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb new file mode 100644 index 0000000..bde3a96 --- /dev/null +++ b/templates/sshd_config/Debian_normal.erb @@ -0,0 +1,87 @@ +# Package generated configuration file +# See the sshd(8) manpage for defails + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# rhosts authentication should not be used +#RhostsAuthentication no +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Uncomment to disable s/key passwords +#ChallengeResponseAuthentication no + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no + + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog no +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +UsePAM no + +HostbasedUsesNameFromPacketOnly yes +AllowTcpForwarding yes + +ChallengeResponseAuthentication no + +AllowUsers <%= allowed_users %> |