Commit | Line | Data |
---|---|---|
3f6c5992 MW |
1 | m4_divert(-1) ### -*-m4-*- |
2 | ### SSH server configuration skeleton. | |
3 | ### | |
4 | ### This file is maintained on ibanez: edit it there and run `update-slaves'. | |
5 | ||
6 | ### Diversion map. | |
7 | ### | |
8 | ### 10 general networking | |
9 | ### 20 host keys and certificates | |
10 | ### 30 local system configuration | |
11 | ### 40 authentication | |
12 | ### 50 permitted user environment | |
13 | ### 60 subsystems | |
14 | ### 90 match blocks | |
15 | ||
16 | ###-------------------------------------------------------------------------- | |
17 | ### Do-not-edit banners. | |
18 | ||
19 | m4_divert(0)m4_dnl | |
20 | ### -*-conf-*- GENERATED FROM sshd_config.m4: DO NOT EDIT! | |
21 | ### | |
22 | ### SSH server configuration. | |
23 | ||
24 | m4_divert(100)m4_dnl | |
25 | ### GENERATED FROM sshd_config.m4: NO NOT EDIT! | |
26 | m4_divert(-1) | |
27 | ||
28 | ###-------------------------------------------------------------------------- | |
29 | ### M4 machinery. | |
30 | ||
31 | m4_changequote([, ]) | |
32 | m4_define([nl], [ | |
33 | ]) | |
34 | ||
35 | ## FOREACH(what, list) | |
36 | ## | |
37 | ## The LIST is a comma-separated list of things, like an m4 argument list. | |
38 | ## For each item in the list, expand WHAT as if it's the body of a macro with | |
39 | ## the list item as its arguments. In other words, the list item itself can | |
40 | ## be a list of comma-separated items, which are available as $1, $2, ..., | |
41 | ## within WHAT. | |
42 | m4_define([_FOREACH], [m4_dnl | |
43 | m4_ifelse([$#], [1], [_foreach_func($1)], | |
44 | [_foreach_func($1)[]_FOREACH(m4_shift($@))])]) | |
45 | m4_define([FOREACH], [m4_dnl | |
46 | m4_pushdef([_foreach_func], [$1])m4_dnl | |
47 | _FOREACH($2)[]m4_dnl | |
48 | m4_popdef([_foreach_func])]) | |
49 | ||
50 | ## KEYTYPE(type) | |
51 | ## | |
52 | ## Declare a key type TYPE. This sets a server key and selects a | |
53 | ## certificate. | |
54 | m4_define([KEYTYPE], [m4_dnl | |
55 | HostKey /etc/ssh/ssh_host_$1_key | |
56 | HostCertificate /etc/ssh/ssh_host_$1_key-cert.pub]) | |
57 | ||
58 | ###-------------------------------------------------------------------------- | |
59 | ### Meta-configuration. | |
60 | ||
61 | ## Ports to listen on. | |
62 | m4_define([PORTS], [22]) | |
63 | ||
64 | ###-------------------------------------------------------------------------- | |
65 | ### Include any local overides. | |
66 | ||
67 | m4_sinclude([/etc/ssh/sshd_config.local.m4])m4_divert(-1) | |
68 | ||
69 | m4_divert(10)m4_dnl | |
70 | ###-------------------------------------------------------------------------- | |
71 | ### General network matters. | |
72 | ||
73 | ## Listening port. Don't set an address here: sshd listens on INADDR_ANY by | |
74 | ## default, and this is good; it also lets a host-specific file override it | |
75 | ## for special effects (e.g., if covering for another server). | |
76 | FOREACH([Port $1 | |
77 | ], [PORTS])m4_dnl | |
78 | ||
79 | ## Protocol version. | |
80 | Protocol 2 | |
81 | ||
82 | ## Don't use TCP keepalives: they break connections for no especially good | |
83 | ## reason. Users can use protocol-level keepalives to keep NAT in line; | |
84 | ## attackers can use other protocols to chew up TCP connections. | |
85 | TCPKeepAlive no | |
86 | ||
87 | ## On the other hand, suppose that a client opens a number of SSH sessions | |
88 | ## and then crashes. If there's no output from the server side, the server | |
89 | ## will never notice that these connections are dead, so they'll consume | |
90 | ## process slots and (worse) ptys forever. We could fix this by turning | |
91 | ## TCP-level keepalives on, but they fire too rapidly in the case where the | |
92 | ## client is suspended or off-net for a while. Instead, get the server to | |
93 | ## send application-level keepalives after 36 hours. The count max isn't | |
94 | ## relevant because the TCP session will break before a second keepalive | |
95 | ## is sent, if the client really is unresponsive. | |
96 | ClientAliveInterval 129600 | |
97 | ||
98 | ## Be relatively generous about authenticating connections. Allow 10 | |
99 | ## concurrent connections, and start randomly rejecting connections until we | |
100 | ## top out at 60. | |
101 | MaxStartups 10:1:60 | |
102 | ||
103 | ## Allow heavy multiplexing. It's the users' fault if they overload the | |
104 | ## connection. | |
105 | MaxSessions 64 | |
106 | ||
107 | m4_divert(20)m4_dnl | |
108 | ###-------------------------------------------------------------------------- | |
109 | ### Host keys and certificates. | |
110 | ||
111 | ## We strongly prefer RSA keys. OpenSSH hasn't yet caught up with FIPS186--3 | |
112 | ## and larger DSA keys, but allow it anyway for the sake of compatibility. | |
113 | ## Later versions allow elliptic curves which is an improvement but not one | |
114 | ## we can rely on yet. | |
115 | KEYTYPE(rsa) | |
116 | KEYTYPE(dsa) | |
117 | ||
118 | m4_divert(30)m4_dnl | |
119 | ###-------------------------------------------------------------------------- | |
120 | ### Other local system configuration. | |
121 | ||
122 | ## Privilege separation doesn't seem to have any obvious downsides. | |
123 | UsePrivilegeSeparation yes | |
124 | ||
125 | ## Logging. | |
126 | SyslogFacility AUTH | |
127 | LogLevel INFO | |
128 | ||
129 | ## Don't be picky about file modes. | |
130 | StrictModes no | |
131 | ||
132 | m4_divert(40)m4_dnl | |
133 | ###-------------------------------------------------------------------------- | |
134 | ### Authentication. | |
135 | ||
136 | ## Permitted kinds of authentication. Cryptographic authentication has | |
137 | ## always been good; passwords are awful but unfortunately necessary. Don't | |
138 | ## try to do the bizarre cryptographically-reinforced host-based | |
139 | ## authentication: it's just more painful than necessary. Permit Kerberos | |
140 | ## authentication via GSS, including key exchange. If hosts need to be | |
141 | ## revoked then that can be done centrally at the KDC: if anything, it's | |
142 | ## even easier than the signature-based scheme. | |
143 | RSAAuthentication yes | |
144 | PubkeyAuthentication yes | |
145 | ##GSSAPIAuthentication yes | |
146 | ##GSSAPIKeyExchange yes | |
147 | IgnoreRhosts yes | |
148 | RhostsRSAAuthentication no | |
149 | HostbasedAuthentication no | |
150 | ||
151 | ## Password configuration. Turn off PAM challenge/response authentication | |
152 | ## (somewhat sadly) because it can override some of our other policy | |
153 | ## settings. Don't actually allow passwords here: we'll allow them from | |
154 | ## trusted hosts later. | |
155 | PasswordAuthentication no | |
156 | LoginGraceTime 120 | |
157 | PermitEmptyPasswords no | |
158 | ChallengeResponseAuthentication no | |
159 | m4_ifelse(m4_esyscmd([uname]), [OpenBSD]nl, [m4_dnl], [UsePAM yes]) | |
160 | ||
161 | ## Don't allow root in here. We can override this setting in a per-host | |
162 | ## match later. | |
163 | PermitRootLogin no | |
164 | ||
165 | ## Authentication attempts. Users get little control over this if they have | |
166 | ## a lot of private keys lying around, so be generous. | |
167 | MaxAuthTries 16 | |
168 | ||
169 | m4_divert(50)m4_dnl | |
170 | ###-------------------------------------------------------------------------- | |
171 | ### Permitted user environment. | |
172 | ||
173 | ## Allow users to set environment variables in their local configuration | |
174 | ## files. They're already on this side of the airtight hatchway. | |
175 | PermitUserEnvironment yes | |
176 | ||
177 | ## X and agent forwarding are allowed (but users should be careful not to | |
178 | ## forward me things I shouldn't be allowed to mess with). | |
179 | AllowAgentForwarding yes | |
180 | X11Forwarding yes | |
181 | X11DisplayOffset 10 | |
182 | ||
183 | ## Port forwarding is OK. | |
184 | AllowTcpForwarding yes | |
185 | GatewayPorts clientspecified | |
186 | ||
187 | ## Don't print a message-of-the-day (PAM has probably already done it). | |
188 | PrintMotd no | |
189 | ||
190 | ## Do print last-login information. | |
191 | PrintLastLog yes | |
192 | ||
193 | ## Environment variables. Accept locale-related things and time-zone | |
194 | ## selection. | |
195 | AcceptEnv LANG LC_* TZ | |
196 | ||
197 | m4_divert(60)m4_dnl | |
198 | ###-------------------------------------------------------------------------- | |
199 | ### SSH subsystem configuration. | |
200 | ||
201 | ## SFTP. | |
202 | Subsystem sftp /usr/lib/openssh/sftp-server | |
203 | m4_define([_KERMIT_SSHSUB], m4_esyscmd([ | |
204 | sub=none | |
205 | for i in /usr/local/bin /usr/bin; do | |
206 | if test -x $i/kermit-sshsub; then sub=$i/kermit-sshsub; break; fi | |
207 | done | |
208 | printf "%s" $sub]))m4_dnl | |
209 | m4_ifelse(_KERMIT_SSHSUB, [none], [], [m4_dnl | |
210 | Subsystem kermit _KERMIT_SSHSUB | |
211 | ])m4_dnl | |
212 | ||
213 | m4_divert(90)m4_dnl | |
214 | ###-------------------------------------------------------------------------- | |
215 | ### Specific match blocks. | |
216 | ||
217 | m4_divert(95)m4_dnl | |
218 | ## Allow root logins from within the trusted network. This is needed to let | |
219 | ## ibanez do its administration thang. | |
220 | Match Address 62.49.204.144/28,212.13.198.64/28,172.29.199.0/24,m4_dnl | |
221 | 2001:470:1f09:1b98::/64,2001:470:9740::/49,m4_dnl | |
222 | 2001:ba8:0:1d9::/64,2001:ba8:1d9::/49 | |
223 | PermitRootLogin without-password | |
224 | PasswordAuthentication yes | |
225 | ||
226 | m4_divert(99)m4_dnl | |
227 | ###------ That's all, folks -------------------------------------------------- |