From dddc62b0a988a1c85b8707418a4e374847b1870c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 18 Aug 2023 01:34:00 -0700 Subject: update --- etc/ssh/sshd_config | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index f66c0efd..1438778c 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -1,4 +1,15 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ +# `man sshd_config` says "for each keyword, the first obtained value will be used". So I decided to put my configs before all others to override them all. +# Based on manpage, setting PasswordAuthentication no, and Arch Linux default KbdInteractiveAuthentication no, with other defaults seems already equivalent to AuthenticationMethods publickey, but I still put it here for redundancy. +# https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication +AuthenticationMethods publickey +PermitRootLogin no +PasswordAuthentication no +# KbdInteractiveAuthentication no and UsePAM yes are Arch Linux default settings see /etc/ssh/sshd_config.d/00-archlinux.conf, I need these configs, I put them here just in case Arch Linux change the defaults in the future. +KbdInteractiveAuthentication no +UsePAM yes + +# Include drop-in configurations +Include /etc/ssh/sshd_config.d/*.conf # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -29,7 +40,7 @@ # Authentication: #LoginGraceTime 2m -PermitRootLogin no +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 @@ -54,11 +65,11 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no +#PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords -KbdInteractiveAuthentication no +#KbdInteractiveAuthentication yes # Kerberos options #KerberosAuthentication no @@ -79,7 +90,7 @@ KbdInteractiveAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. -UsePAM yes +#UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -88,7 +99,7 @@ UsePAM yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -PrintMotd no +#PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no @@ -114,7 +125,3 @@ Subsystem sftp /usr/lib/ssh/sftp-server # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server - -# Based on manpage, setting PasswordAuthentication no, and default KbdInteractiveAuthentication no, with other defaults seems already equivalent to AuthenticationMethods publickey, but I still put it here for redundancy. -# https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication -AuthenticationMethods publickey -- cgit v1.2.3-70-g09d2