From cdafb270130e4232cc7da7ef81a34b26bc38710c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 2 Feb 2008 00:05:14 +0000 Subject: added Debian sshd config git-svn-id: https://svn/ipuppet/trunk/modules/sshd@728 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- templates/sshd_config/Debian_normal.erb | 87 +++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 templates/sshd_config/Debian_normal.erb diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb new file mode 100644 index 0000000..bde3a96 --- /dev/null +++ b/templates/sshd_config/Debian_normal.erb @@ -0,0 +1,87 @@ +# Package generated configuration file +# See the sshd(8) manpage for defails + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# rhosts authentication should not be used +#RhostsAuthentication no +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Uncomment to disable s/key passwords +#ChallengeResponseAuthentication no + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no + + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog no +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +UsePAM no + +HostbasedUsesNameFromPacketOnly yes +AllowTcpForwarding yes + +ChallengeResponseAuthentication no + +AllowUsers <%= allowed_users %> -- cgit v1.2.3