1 m4_divert(-1) ### -*-m4-*-
2 ### SSH server configuration skeleton.
4 ### This file is maintained on ibanez: edit it there and run `update-slaves'.
8 ### 10 general networking
9 ### 20 host keys and certificates
10 ### 30 local system configuration
12 ### 50 permitted user environment
16 ###--------------------------------------------------------------------------
17 ### Do-not-edit banners.
20 ### -*-conf-*- GENERATED FROM sshd_config.m4: DO NOT EDIT!
22 ### SSH server configuration.
25 ### GENERATED FROM sshd_config.m4: NO NOT EDIT!
28 ###--------------------------------------------------------------------------
35 ## FOREACH(what, list)
37 ## The LIST is a comma-separated list of things, like an m4 argument list.
38 ## For each item in the list, expand WHAT as if it's the body of a macro with
39 ## the list item as its arguments. In other words, the list item itself can
40 ## be a list of comma-separated items, which are available as $1, $2, ...,
42 m4_define([_FOREACH], [m4_dnl
43 m4_ifelse([$#], [1], [_foreach_func($1)],
44 [_foreach_func($1)[]_FOREACH(m4_shift($@))])])
45 m4_define([FOREACH], [m4_dnl
46 m4_pushdef([_foreach_func], [$1])m4_dnl
48 m4_popdef([_foreach_func])])
52 ## Declare a key type TYPE. This sets a server key and selects a
54 m4_define([KEYTYPE], [m4_dnl
55 HostKey /etc/ssh/ssh_host_$1_key
56 HostCertificate /etc/ssh/ssh_host_$1_key-cert.pub])
58 ###--------------------------------------------------------------------------
59 ### Meta-configuration.
61 ## Ports to listen on.
62 m4_define([PORTS], [22])
64 ###--------------------------------------------------------------------------
65 ### Include any local overides.
67 m4_sinclude([/etc/ssh/sshd_config.local.m4])m4_divert(-1)
70 ###--------------------------------------------------------------------------
71 ### General network matters.
73 ## Listening port. Don't set an address here: sshd listens on INADDR_ANY by
74 ## default, and this is good; it also lets a host-specific file override it
75 ## for special effects (e.g., if covering for another server).
82 ## Don't use TCP keepalives: they break connections for no especially good
83 ## reason. Users can use protocol-level keepalives to keep NAT in line;
84 ## attackers can use other protocols to chew up TCP connections.
87 ## On the other hand, suppose that a client opens a number of SSH sessions
88 ## and then crashes. If there's no output from the server side, the server
89 ## will never notice that these connections are dead, so they'll consume
90 ## process slots and (worse) ptys forever. We could fix this by turning
91 ## TCP-level keepalives on, but they fire too rapidly in the case where the
92 ## client is suspended or off-net for a while. Instead, get the server to
93 ## send application-level keepalives after 36 hours. The count max isn't
94 ## relevant because the TCP session will break before a second keepalive
95 ## is sent, if the client really is unresponsive.
96 ClientAliveInterval 129600
98 ## Be relatively generous about authenticating connections. Allow 10
99 ## concurrent connections, and start randomly rejecting connections until we
103 ## Allow heavy multiplexing. It's the users' fault if they overload the
108 ###--------------------------------------------------------------------------
109 ### Host keys and certificates.
111 ## We strongly prefer RSA keys. OpenSSH hasn't yet caught up with FIPS186--3
112 ## and larger DSA keys, but allow it anyway for the sake of compatibility.
113 ## Later versions allow elliptic curves which is an improvement but not one
114 ## we can rely on yet.
119 ###--------------------------------------------------------------------------
120 ### Other local system configuration.
122 ## Privilege separation doesn't seem to have any obvious downsides.
123 UsePrivilegeSeparation yes
129 ## Don't be picky about file modes.
133 ###--------------------------------------------------------------------------
136 ## Permitted kinds of authentication. Cryptographic authentication has
137 ## always been good; passwords are awful but unfortunately necessary. Don't
138 ## try to do the bizarre cryptographically-reinforced host-based
139 ## authentication: it's just more painful than necessary. Permit Kerberos
140 ## authentication via GSS, including key exchange. If hosts need to be
141 ## revoked then that can be done centrally at the KDC: if anything, it's
142 ## even easier than the signature-based scheme.
143 RSAAuthentication yes
144 PubkeyAuthentication yes
145 ##GSSAPIAuthentication yes
146 ##GSSAPIKeyExchange yes
148 RhostsRSAAuthentication no
149 HostbasedAuthentication no
151 ## Password configuration. Turn off PAM challenge/response authentication
152 ## (somewhat sadly) because it can override some of our other policy
153 ## settings. Don't actually allow passwords here: we'll allow them from
154 ## trusted hosts later.
155 PasswordAuthentication no
157 PermitEmptyPasswords no
158 ChallengeResponseAuthentication no
159 m4_ifelse(m4_esyscmd([uname]), [OpenBSD]nl, [m4_dnl], [UsePAM yes])
161 ## Don't allow root in here. We can override this setting in a per-host
165 ## Authentication attempts. Users get little control over this if they have
166 ## a lot of private keys lying around, so be generous.
170 ###--------------------------------------------------------------------------
171 ### Permitted user environment.
173 ## Allow users to set environment variables in their local configuration
174 ## files. They're already on this side of the airtight hatchway.
175 PermitUserEnvironment yes
177 ## X and agent forwarding are allowed (but users should be careful not to
178 ## forward me things I shouldn't be allowed to mess with).
179 AllowAgentForwarding yes
183 ## Port forwarding is OK.
184 AllowTcpForwarding yes
185 GatewayPorts clientspecified
187 ## Don't print a message-of-the-day (PAM has probably already done it).
190 ## Do print last-login information.
193 ## Environment variables. Accept locale-related things and time-zone
195 AcceptEnv LANG LC_* TZ
198 ###--------------------------------------------------------------------------
199 ### SSH subsystem configuration.
202 Subsystem sftp /usr/lib/openssh/sftp-server
203 m4_define([_KERMIT_SSHSUB], m4_esyscmd([
205 for i in /usr/local/bin /usr/bin; do
206 if test -x $i/kermit-sshsub; then sub=$i/kermit-sshsub; break; fi
208 printf "%s" $sub]))m4_dnl
209 m4_ifelse(_KERMIT_SSHSUB, [none], [], [m4_dnl
210 Subsystem kermit _KERMIT_SSHSUB
214 ###--------------------------------------------------------------------------
215 ### Specific match blocks.
218 ## Allow root logins from within the trusted network. This is needed to let
219 ## ibanez do its administration thang.
220 Match Address 62.49.204.144/28,212.13.198.64/28,172.29.199.0/24,m4_dnl
221 2001:470:1f09:1b98::/64,2001:470:9740::/49,m4_dnl
222 2001:ba8:0:1d9::/64,2001:ba8:1d9::/49
223 PermitRootLogin without-password
224 PasswordAuthentication yes
227 ###------ That's all, folks --------------------------------------------------