Bugzilla – Attachment 502 Details for
Bug 761
sftp not exiting in batch mode
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
sshd_config file
sshd_config (text/plain), 18.29 KB, created by
Tim Schauer
on 2003-11-18 14:21:51 AEDT
(
hide
)
Description:
sshd_config file
Filename:
MIME Type:
Creator:
Tim Schauer
Created:
2003-11-18 14:21:51 AEDT
Size:
18.29 KB
patch
obsolete
> Tim Schauer <tschauer >@chla.usc.edu> > 11/18/2003 01:11 PM > > To: Timothy Schauer/GIS/CSC@CSC > cc: > Subject: sshd_config > > ># @(#) $Id: sshd_config_master,v 1.1 2002/11/21 21:06:26 eszeidem Exp $ ># $Source: >/usr/local/src/CVSREP/GPES_SF/SOE/software/openssh/openssh_scripts/sshd_con >fig_master,v $ ># @(#) sshd_config file for OpenSSH package > >#AFSTokenPassing ># Specifies whether an AFS token may be forwarded to the server. ># Default is ``yes''. > >#AllowGroups * ># This keyword can be followed by a list of group name patterns, ># separated by spaces. If specified, login is allowed only for ># users whose primary group or supplementary group list matches one ># of the patterns. `*' and `?' can be used as wildcards in the ># patterns. Only group names are valid; a numerical group ID is ># not recognized. By default, login is allowed for all groups. > >#AllowTcpForwarding yes ># Specifies whether TCP forwarding is permitted. The default is ># ``yes''. Note that disabling TCP forwarding does not improve ># security unless users are also denied shell access, as they can ># always install their own forwarders. > >#AllowUsers * ># This keyword can be followed by a list of user name patterns, ># separated by spaces. If specified, login is allowed only for ># users names that match one of the patterns. `*' and `?' can be ># used as wildcards in the patterns. Only user names are valid; a ># numerical user ID is not recognized. By default, login is ># allowed for all users. If the pattern takes the form USER@HOST ># then USER and HOST are separately checked, restricting logins to ># particular users from particular hosts. > >#AuthorizedKeysFile %h/.ssh/authorized_keys ># Specifies the file that contains the public keys that can be used ># for user authentication. AuthorizedKeysFile may contain tokens ># of the form %T which are substituted during connection set-up. ># The following tokens are defined: %% is replaced by a literal ># '%', %h is replaced by the home directory of the user being ># authenticated and %u is replaced by the username of that user. ># After expansion, AuthorizedKeysFile is taken to be an absolute ># path or one relative to the user's home directory. The default ># is ``.ssh/authorized_keys''. > >#Banner /etc/issue ># In some jurisdictions, sending a warning message before ># authentication may be relevant for getting legal protection. The ># contents of the specified file are sent to the remote user before ># authentication is allowed. This option is only available for ># protocol version 2. > >#ChallengeResponseAuthentication no ># Specifies whether challenge response authentication is allowed. ># All authentication styles from login.conf(5) are supported. The ># default is ``yes''. > >#Ciphers >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc ># Specifies the ciphers allowed for protocol version 2. Multiple ># ciphers must be comma-separated. The default is ># ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, ># aes192-cbc,aes256-cbc'' > >#ClientAliveInterval 0 ># Sets a timeout interval in seconds after which if no data has ># been received from the client, sshd will send a message through ># the encrypted channel to request a response from the client. The ># default is 0, indicating that these messages will not be sent to ># the client. This option applies to protocol version 2 only. > >#ClientAliveCountMax 3 ># Sets the number of client alive messages (see above) which may be ># sent without sshd receiving any messages back from the client. If ># this threshold is reached while client alive messages are being ># sent, sshd will disconnect the client, terminating the session. ># It is important to note that the use of client alive messages is ># very different from KeepAlive (below). The client alive messages ># are sent through the encrypted channel and therefore will not be ># spoofable. The TCP keepalive option enabled by KeepAlive is ># spoofable. The client alive mechanism is valuable when the client ># or server depend on knowing when a connection has become ># inactive. ># The default value is 3. If ClientAliveInterval (above) is set to ># 15, and ClientAliveCountMax is left at the default, unresponsive ># ssh clients will be disconnected after approximately 45 seconds. > >#Compression yes ># Specifies whether compression is allowed. The argument must be ># ``yes'' or ``no''. The default is ``yes''. > >#DenyGroups ># This keyword can be followed by a list of group name patterns, ># separated by spaces. Login is disallowed for users whose primary ># group or supplementary group list matches one of the patterns. ># `*' and `?' can be used as wildcards in the patterns. Only group ># names are valid; a numerical group ID is not recognized. By ># default, login is allowed for all groups. > >#DenyUsers ># This keyword can be followed by a list of user name patterns, ># separated by spaces. Login is disallowed for user names that ># match one of the patterns. `*' and `?' can be used as wildcards ># in the patterns. Only user names are valid; a numerical user ID ># is not recognized. By default, login is allowed for all users. ># If the pattern takes the form USER@HOST then USER and HOST are ># separately checked, restricting logins to particular users from ># particular hosts. > >#GatewayPorts no ># Specifies whether remote hosts are allowed to connect to ports ># forwarded for the client. By default, sshd binds remote port ># forwardings to the loopback addresss. This prevents other remote ># hosts from connecting to forwarded ports. GatewayPorts can be ># used to specify that sshd should bind remote port forwardings to ># the wildcard address, thus allowing remote hosts to connect to ># forwarded ports. The argument must be ``yes'' or ``no''. The ># default is ``no''. > >#HostbasedAuthentication no ># Specifies whether rhosts or /etc/hosts.equiv authentication ># together with successful public key client host authentication is ># allowed (hostbased authentication). This option is similar to ># RhostsRSAAuthentication and applies to protocol version 2 only. ># The default is ``no''. > >HostKey /opt/soe/local/etc/ssh_host_key >HostKey /opt/soe/local/etc/ssh_host_rsa_key >HostKey /opt/soe/local/etc/ssh_host_dsa_key ># Specifies a file containing a private host key used by SSH. The ># default is /etc/ssh/ssh_host_key for protocol version 1, and ># /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for ># protocol version 2. Note that sshd will refuse to use a file if ># it is group/world-accessible. It is possible to have multiple ># host key files. ``rsa1'' keys are used for version 1 and ``dsa'' ># or ``rsa'' are used for version 2 of the SSH protocol. > >IgnoreRhosts yes ># Specifies that .rhosts and .shosts files will not be used in ># RhostsAuthentication, RhostsRSAAuthentication or ># HostbasedAuthentication. ># /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The ># default is ``yes''. > >#IgnoreUserKnownHosts no ># Specifies whether sshd should ignore the user's ># $HOME/.ssh/known_hosts during RhostsRSAAuthentication or ># HostbasedAuthentication. The default is ``no''. > >KeepAlive yes ># Specifies whether the system should send TCP keepalive messages ># to the other side. If they are sent, death of the connection or ># crash of one of the machines will be properly noticed. However, ># this means that connections will die if the route is down ># temporarily, and some people find it annoying. On the other ># hand, if keepalives are not sent, sessions may hang indefinitely ># on the server, leaving ``ghost'' users and consuming server ># resources. ># The default is ``yes'' (to send keepalives), and the server will ># notice if the network goes down or the client host crashes. This ># avoids infinitely hanging sessions. ># To disable keepalives, the value should be set to ``no''. > >#KerberosAuthentication ># Specifies whether Kerberos authentication is allowed. This can ># be in the form of a Kerberos ticket, or if PasswordAuthentication ># is yes, the password provided by the user will be validated ># through the Kerberos KDC. To use this option, the server needs a ># Kerberos servtab which allows the verification of the KDC's ># identity. Default is ``yes''. > >#KerberosOrLocalPasswd ># If set then if password authentication through Kerberos fails ># then the password will be validated via any additional local ># mechanism such as /etc/passwd. Default is ``yes''. > >#KerberosTgtPassing ># Specifies whether a Kerberos TGT may be forwarded to the server. ># Default is ``no'', as this only works when the Kerberos KDC is ># actually an AFS kaserver. > >#KerberosTicketCleanup ># Specifies whether to automatically destroy the user's ticket ># cache file on logout. Default is ``yes''. > >KeyRegenerationInterval 3600 ># In protocol version 1, the ephemeral server key is automatically ># regenerated after this many seconds (if it has been used). The ># purpose of regeneration is to prevent decrypting captured ># sessions by later breaking into the machine and stealing the ># keys. The key is never stored anywhere. If the value is 0, the ># key is never regenerated. The default is 3600 (seconds). > >#PAMAuthenticationViaKbdInt no ># Specifies whether PAM challenge response authentication is ># allowed. This allows the use of most PAM challenge response ># authentication modules, but it will allow password authentication ># regardless of whether PasswordAuthentication is disabled. The ># default is ``no''. > >Port 22 ># Specifies the port number that sshd listens on. The default is ># 22. Multiple options of this type are permitted. See also ># ListenAddress. > >#ListenAddress 0.0.0.0 ># Specifies the local addresses sshd should listen on. The ># following forms may be used: ># ListenAddress host|IPv4_addr|IPv6_addr ># ListenAddress host|IPv4_addr:port ># ListenAddress [host|IPv6_addr]:port ># If port is not specified, sshd will listen on the address and all ># prior Port options specified. The default is to listen on all ># local addresses. Multiple ListenAddress options are permitted. ># Additionally, any Port options must precede this option for non ># port qualified addresses. > >LoginGraceTime 600 ># The server disconnects after this time if the user has not ># successfully logged in. If the value is 0, there is no time ># limit. The default is 600 (seconds). > >LogLevel DEBUG3 ># **************************** WARNING >*********************************************************************** ># Using anything other than DEBUG3 will cause sftp to break. Using INFO >doesn't allow an ftp session to exit ># >*************************************************************************** >********************************** ># Gives the verbosity level that is used when logging messages from ># sshd. The possible values are: QUIET, FATAL, ERROR, INFO, ># VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. ># DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify ># higher levels of debugging output. Logging with a DEBUG level ># violates the privacy of users and is not recommended. > >#MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 ># Specifies the available MAC (message authentication code) ># algorithms. The MAC algorithm is used in protocol version 2 for ># data integrity protection. Multiple algorithms must be comma- ># separated. The default is ``hmac-md5,hmac-sha1,hmac- ># ripemd160,hmac-sha1-96,hmac-md5-96''. > >#MaxStartups 10 ># Specifies the maximum number of concurrent unauthenticated ># connections to the sshd daemon. Additional connections will be ># dropped until authentication succeeds or the LoginGraceTime ># expires for a connection. The default is 10. ># Alternatively, random early drop can be enabled by specifying the ># three colon separated values ``start:rate:full'' (e.g., ># "10:30:60"). sshd will refuse connection attempts with a ># probability of ``rate/100'' (30%) if there are currently ># ``start'' (10) unauthenticated connections. The probability ># increases linearly and all connection attempts are refused if the ># number of unauthenticated connections reaches ``full'' (60). > >PasswordAuthentication yes ># Specifies whether password authentication is allowed. The ># default is ``yes''. > >PermitEmptyPasswords no ># When password authentication is allowed, it specifies whether the ># server allows login to accounts with empty password strings. The ># default is ``no''. > >PermitRootLogin yes >#PermitRootLogin forced-commands-only ># Specifies whether root can login using ssh(1). The argument must ># be ``yes'', ``without-password'', ``forced-commands-only'' or ># ``no''. The default is ``yes''. ># If this option is set to ``without-password'' password ># authentication is disabled for root. ># If this option is set to ``forced-commands-only'' root login with ># public key authentication will be allowed, but only if the ># command option has been specified (which may be useful for taking ># remote backups even if root login is normally not allowed). All ># other authentication methods are disabled for root. ># If this option is set to ``no'' root is not allowed to login. > >#PermitUserEnvironment no ># Specifies whether ~/.ssh/environment and environment= options in ># ~/.ssh/authorized_keys are processed by sshd. The default is ># ``no''. Enabling environment processing may enable users to ># bypass access restrictions in some configurations using mecha ># nisms such as LD_PRELOAD. > >#PidFile /opt/soe/local/etc/sshd.pid ># Specifies the file that contains the process identifier of the ># sshd daemon. The default is /var/run/sshd.pid. > >#PrintLastLog yes ># Specifies whether sshd should print the date and time when the ># user last logged in. The default is ``yes''. > >PrintMotd yes ># Specifies whether sshd should print /etc/motd when a user logs in ># interactively. (On some systems it is also printed by the shell, ># /etc/profile, or equivalent.) The default is ``yes''. > >Protocol 1,2 ># Specifies the protocol versions sshd should support. The ># possible values are ``1'' and ``2''. Multiple versions must be ># comma-separated. The default is ``2,1''. > >#PubkeyAuthentication yes ># Specifies whether public key authentication is allowed. The ># default is ``yes''. Note that this option applies to protocol ># version 2 only. > >RhostsAuthentication no ># Specifies whether authentication using rhosts or /etc/hosts.equiv ># files is sufficient. Normally, this method should not be ># permitted because it is insecure. RhostsRSAAuthentication should ># be used instead, because it performs RSA-based host ># authentication in addition to normal rhosts or /etc/hosts.equiv ># authentication. The default is ``no''. This option applies to ># protocol version 1 only. > >RhostsRSAAuthenticatIon yes ># Specifies whether rhosts or /etc/hosts.equiv authentication ># together with successful RSA host authentication is allowed. The ># default is ``no''. This option applies to protocol version 1 ># only. > >RSAAuthentication yes ># Specifies whether pure RSA authentication is allowed. The ># default is ``yes''. This option applies to protocol version 1 ># only. > >ServerkeyBits 768 ># Defines the number of bits in the ephemeral protocol version 1 ># server key. The minimum value is 512, and the default is 768. > >StrictModes yes ># Specifies whether sshd should check file modes and ownership of ># the user's files and home directory before accepting login. This ># is normally desirable because novices sometimes accidentally ># leave their directory or files world-writable. The default is ># ``yes''. > >Subsystem sftp /opt/soe/local/openssh/libexec/sftp-server ># Configures an external subsystem (e.g., file transfer daemon). ># Arguments should be a subsystem name and a command to execute ># upon subsystem request. The command sftp-server(8) implements ># the ``sftp'' file transfer subsystem. By default no subsystems ># are defined. Note that this option applies to protocol version 2 ># only. > >SyslogFacility AUTH ># Gives the facility code that is used when logging messages from ># sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, ># LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The ># default is AUTH. > >#UseLogin no ># Specifies whether login(1) is used for interactive login ># sessions. The default is ``no''. Note that login(1) is never ># used for remote command execution. Note also, that if this is ># enabled, X11Forwarding will be disabled because login(1) does not ># know how to handle xauth(1) cookies. > >#UsePrivilegeSeparation yes ># Specifies whether sshd separates privileges by creating an ># unprivileged child process to deal with incoming network traffic. ># After successful authentication, another process will be created ># that has the privilege of the authenticated user. The goal of ># privilege separation is to prevent privilege escalation by ># containing any corruption within the unprivileged processes. ># The default is yes. > >#VerifyReverseMapping no ># Specifies whether sshd should try to verify the remote host name ># and check that the resolved host name for the remote IP address ># maps back to the very same IP address. The default is ``no''. > >X11DisplayOffset 10 ># Specifies the first display number available for sshd's X11 ># forwarding. This prevents sshd from interfering with real X11 ># servers. The default is 10. > >X11Forwarding yes ># Specifies whether X11 forwarding is permitted. The default is ># ``no''. Note that disabling X11 forwarding does not improve ># security in any way, as users can always install their own ># forwarders. X11 forwarding is automatically disabled if UseLogin ># is enabled. > >#X11UseLocalhost yes ># Specifies whether sshd should bind the X11 forwarding server to ># the loopback address or to the wildcard address. By default, ># sshd binds the forwarding server to the loopback address and sets ># the hostname part of the DISPLAY environment variable to ># ``localhost''. This prevents remote hosts from connecting to the ># fake display. However, some older X11 clients may not function ># with this configuration. X11UseLocalhost may be set to ``no'' to ># specify that the forwarding server should be bound to the ># wildcard address. The argument must be ``yes'' or ``no''. The ># default is ``yes''. > >#XAuthLocation /usr/bin/X11/xauth ># Specifies the location of the xauth(1) program. The default is ># /usr/bin/X11/xauth. >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 761
: 502