diff --git a/ChangeLog b/ChangeLog index ff90e5b86..2f64606c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -185,6 +185,13 @@ - markus@cvs.openbsd.org 2002/01/16 13:17:51 [channels.c channels.h serverloop.c ssh.c] wrapper for channel_setup_fwd_listener + - stevesk@cvs.openbsd.org 2002/01/16 17:40:23 + [sshd_config] + The stategy now used for options in the default sshd_config shipped + with OpenSSH is to specify options with their default value where + possible, but leave them commented. Uncommented options change a + default value. Subsystem is currently the only default option + changed. ok markus@ 20020121 - (djm) Rework ssh-rand-helper: @@ -7332,4 +7339,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1775 2002/01/22 12:29:22 djm Exp $ +$Id: ChangeLog,v 1.1776 2002/01/22 12:32:07 djm Exp $ diff --git a/sshd_config b/sshd_config index 41e3388da..9e62e9cf3 100644 --- a/sshd_config +++ b/sshd_config @@ -1,80 +1,89 @@ -# $OpenBSD: sshd_config,v 1.43 2001/12/19 07:18:56 deraadt Exp $ - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin +# $OpenBSD: sshd_config,v 1.44 2002/01/16 17:40:23 stevesk Exp $ # This is the sshd server system-wide configuration file. See sshd(8) # for more information. -Port 22 +# The stategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 -HostKey /etc/ssh_host_key +#HostKey /etc/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh_host_rsa_key -HostKey /etc/ssh_host_dsa_key +#HostKey /etc/ssh_host_rsa_key +#HostKey /etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 +#KeyRegenerationInterval 3600 +#ServerKeyBits 768 # Logging -SyslogFacility AUTH -LogLevel INFO #obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO # Authentication: -LoginGraceTime 600 -PermitRootLogin yes -StrictModes yes +#LoginGraceTime 600 +#PermitRootLogin yes +#StrictModes yes -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used -RhostsAuthentication no +#RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes +#IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no +#RhostsRSAAuthentication no # similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication yes -PermitEmptyPasswords no +#PasswordAuthentication yes +#PermitEmptyPasswords no -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes -# Uncomment to enable PAM keyboard-interactive authentication +# Kerberos options +# KerberosAuthentication automatically enabled if keyfile exists +#KerberosAuthentication yes +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# AFSTokenPassing automatically enabled if k_hasafs() is true +#AFSTokenPassing yes + +# Kerberos TGT Passing only works with the AFS kaserver +#KerberosTgtPassing no + +# Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -X11Forwarding no -X11DisplayOffset 10 -PrintMotd yes -#PrintLastLog no -KeepAlive yes +#X11Forwarding no +#X11DisplayOffset 10 +#PrintMotd yes +#PrintLastLog yes +#KeepAlive yes #UseLogin no -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes +#MaxStartups 10 +# no default banner path +#Banner /some/path +#ReverseMappingCheck no +# override default of no subsystems Subsystem sftp /usr/libexec/sftp-server