diff options
| author | Xiao Pan <gky44px1999@gmail.com> | 2023-10-25 06:45:08 +0000 |
|---|---|---|
| committer | Xiao Pan <gky44px1999@gmail.com> | 2023-10-25 06:45:08 +0000 |
| commit | e4db0b25bf6540386e737594a47cb92a83c0cbea (patch) | |
| tree | 70f85967663aa539fabe40e40803fa638acfae00 /etc/ssh | |
| parent | 12bda1ac3390f2d16a401d895faf0ef2418f874c (diff) | |
update
Diffstat (limited to 'etc/ssh')
| -rw-r--r-- | etc/ssh/sshd_config | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index ad7e1f20..1438778c 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -1,4 +1,15 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ +# `man sshd_config` says "for each keyword, the first obtained value will be used". So I decided to put my configs before all others to override them all. +# Based on manpage, setting PasswordAuthentication no, and Arch Linux default KbdInteractiveAuthentication no, with other defaults seems already equivalent to AuthenticationMethods publickey, but I still put it here for redundancy. +# https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication +AuthenticationMethods publickey +PermitRootLogin no +PasswordAuthentication no +# KbdInteractiveAuthentication no and UsePAM yes are Arch Linux default settings see /etc/ssh/sshd_config.d/00-archlinux.conf, I need these configs, I put them here just in case Arch Linux change the defaults in the future. +KbdInteractiveAuthentication no +UsePAM yes + +# Include drop-in configurations +Include /etc/ssh/sshd_config.d/*.conf # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -29,7 +40,7 @@ # Authentication: #LoginGraceTime 2m -PermitRootLogin no +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 @@ -54,11 +65,11 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no +#PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords -KbdInteractiveAuthentication no +#KbdInteractiveAuthentication yes # Kerberos options #KerberosAuthentication no @@ -75,11 +86,11 @@ KbdInteractiveAuthentication no # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin without-password". +# the setting of "PermitRootLogin prohibit-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. -UsePAM yes +#UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -88,7 +99,7 @@ UsePAM yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -PrintMotd no # pam does that +#PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no |