Bugzilla – Attachment 2550 Details for
Bug 2355
general protection / segfaults when PermitOpen=none
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
sshd_config
sshd_config (text/plain), 7.80 KB, created by
Christoph Anton Mitterer
on 2015-02-20 14:51:47 AEDT
(
hide
)
Description:
sshd_config
Filename:
MIME Type:
Creator:
Christoph Anton Mitterer
Created:
2015-02-20 14:51:47 AEDT
Size:
7.80 KB
patch
obsolete
>#******************************************************************************* >#*** General *** >#******************************************************************************* >##LogLevel INFO >##SyslogFacility AUTH > >##PidFile /var/run/sshd.pid > > >##StrictModes yes > > > > >#******************************************************************************* >#*** System Techniques *** >#******************************************************************************* >UsePrivilegeSeparation sandbox > > > > >#******************************************************************************* >#*** Networking *** >#******************************************************************************* >##AddressFamily any > >##Port 22 >ListenAddress localhost >ListenAddress ip6-localhost >ListenAddress foobar > > >TCPKeepAlive no >##IPQoS lowdelay throughput > > >##UseDNS yes > > >##MaxStartups 10:30:100 >##MaxSessions 10 > > > > >#******************************************************************************* >#*** Secure Shell (SSH) Protocol *** >#******************************************************************************* >Protocol 2 > > >##VersionAddendum none >##DebianBanner yes > >##Banner > > >Compression no > >ClientAliveInterval 15 >ClientAliveCountMax 8 > > >GSSAPIKeyExchange no > >KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 >Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com > >ServerKeyBits 4096 >KeyRegenerationInterval 10m >RekeyLimit default 1h > > > > >#******************************************************************************* >#*** Server Authentication *** >#******************************************************************************* >HostKey /etc/ssh/ssh_host_ed25519_key >HostKey /etc/ssh/ssh_host_ecdsa_key >HostKey /etc/ssh/ssh_host_rsa_key >#Note: SSH Version 2 DSA host keys are implicitly disabled. >##HostKey /etc/ssh/ssh_host_dsa_key >#Note: SSH Version 1 RSA host keys are implicitly disabled. >##HostKey /etc/ssh/ssh_host_key >##HostKeyAgent >##HostCertificate > > > > >#******************************************************************************* >#*** Client Authentication Methods *** >#******************************************************************************* >PasswordAuthentication no >PermitEmptyPasswords no > >KbdInteractiveAuthentication no > >ChallengeResponseAuthentication no > >RhostsRSAAuthentication no > >HostbasedAuthentication no >HostbasedUsesNameFromPacketOnly no > >KerberosAuthentication no >KerberosOrLocalPasswd no >##KerberosGetAFSToken no >##KerberosTicketCleanup yes > >GSSAPIAuthentication no >GSSAPIStrictAcceptorCheck yes >##GSSAPIStoreCredentialsOnRekey no >##GSSAPICleanupCredentials yes > >RSAAuthentication no > >PubkeyAuthentication yes > > >IgnoreUserKnownHosts yes >IgnoreRhosts yes > > > > >#******************************************************************************* >#*** Client Authentication And Authorisation *** >#******************************************************************************* >AuthenticationMethods publickey > >LoginGraceTime 60 >MaxAuthTries 4 > > >##RevokedKeys > >##AuthorizedKeysCommand none >AuthorizedKeysCommandUser invalid >AuthorizedKeysFile .ssh/authorized_keys > >##TrustedUserCAKeys >##AuthorizedPrincipalsFile > > >#Note: These directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups >##DenyUsers >AllowUsers root git >##DenyGroups >##AllowGroups * > >PermitRootLogin without-password > > > > >#******************************************************************************* >#*** Session *** >#******************************************************************************* >UsePAM yes >##UseLogin no > > >##PermitTTY yes >##AllowAgentForwarding yes >##PermitUserRC yes > >AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME >PermitUserEnvironment no > > >##PrintLastLog yes >PrintMotd no > > >##ChrootDirectory >##ForceCommand > > > > >#******************************************************************************* >#*** Forwarding *** >#******************************************************************************* >##AllowStreamLocalForwarding yes >StreamLocalBindMask 0177 >StreamLocalBindUnlink no > >##AllowTcpForwarding yes >##PermitOpen any > >PermitTunnel no > >X11Forwarding yes >X11UseLocalhost yes >##X11DisplayOffset 10 >##XAuthLocation /usr/bin/xauth > > >GatewayPorts no > > > > >#******************************************************************************* >#*** Subsystems *** >#******************************************************************************* >Subsystem sftp /usr/lib/openssh/sftp-server > > > > >#******************************************************************************* >#*** Conditional Directive Blocks *** >#******************************************************************************* >#for the user âgitâ used with Gitolite >Match User git > #Note: Gitolite via SSH must only be used with the public key authentication method, therefore the following completely disables all others. However, the former isnât explicitily enabled here, but rather âinheritedâ from the âglobalâ configuration. > PasswordAuthentication no > PermitEmptyPasswords no > KbdInteractiveAuthentication no > RhostsRSAAuthentication no > HostbasedAuthentication no > HostbasedUsesNameFromPacketOnly no > KerberosAuthentication no > GSSAPIAuthentication no > RSAAuthentication no > ###PubkeyAuthentication yes > AuthenticationMethods publickey > > #Note: As of now, Gitolite doesnât make use of an âauthorized keys commandâ. It could have been âinheritedâ from the âglobalâ configuration, therefore the following disables it explicitly. > AuthorizedKeysCommand none > AuthorizedKeysCommandUser invalid > > #Note: Gitolite always expects the authorized keys to be found at â~/.ssh/authorized_keysâ. A different value could have been âinheritedâ from the âglobalâ configuration, therefore the following sets it explicitly. > AuthorizedKeysFile .ssh/authorized_keys > > #Note: The following makes sure that it is really the user âgitâ which is used and that it isnât an âalias for rootâ (in other words: any user name having the user ID 0). > AllowUsers git > PermitRootLogin no > > #Note: The following restricts miscellaneous things which shouldnât be necessary for respectively used with git or Gitolite. > PermitTTY no > AllowAgentForwarding no > PermitUserRC no > AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME > AllowStreamLocalForwarding no > StreamLocalBindMask 0777 > StreamLocalBindUnlink no > AllowTcpForwarding no > PermitOpen none > PermitTunnel no > X11Forwarding no > X11UseLocalhost yes > GatewayPorts no > > #Note: The following effectively forbids SSH channel multiplexing, which might have security implications (simplified: further channels âinheritâ some parameters from the initiating one) if allowed. > MaxSessions 1 > > #TODO: Consider running Gitolite from within a chroot. > #ChrootDirectory > #TODO: Currently, âForceCommandâ cannot be used with Gitolite, but reconsider this once it should become possible. > #ForceCommand
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2550">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 2355
: 2550 |
2551
|
2552
|
2617