Appendix - Sample sshd_config File

The following is a sample sshd_config file that contains descriptions for many of the options available for OpenSSH. Many of these descriptions were taken directly from the man page for sshd.

# Specifies whether an AFS token may be forwarded to the server.
 # Default is "yes".
 #AFSTokenPassing

 # This keyword can be followed by a list of group name patterns,
 # separated by spaces. If specified, login is allowed only for
 # users whose primary group or supplementary group list matches one
 # of the patterns. '*' and '?' can be used as wildcards in the
 # patterns. Only group names are valid; a numerical group ID is
 # not recognized. By default, login is allowed for all groups.
 AllowGroups *

 # Specifies whether TCP forwarding is permitted. The default is
 # "yes". Note that disabling TCP forwarding does not improve
 # security unless users are also denied shell access, as they can
 # always install their own forwarders.
 AllowTcpForwarding yes

 # This keyword can be followed by a list of user name patterns,
 # separated by spaces. If specified, login is allowed only for
 # users names that match one of the patterns. '*' and '?' can be
 # used as wildcards in the patterns. Only user names are valid; a
 # numerical user ID is not recognized. By default, login is
 # allowed for all users. If the pattern takes the form USER@HOST
 # then USER and HOST are separately checked, restricting logins to
 # particular users from particular hosts.
 AllowUsers *

 # Specifies the file that contains the public keys that can be used
 # for user authentication. AuthorizedKeysFile may contain tokens
 # of the form %T which are substituted during connection set-up.
 # The following tokens are defined: %% is replaced by a literal
 # '%', %h is replaced by the home directory of the user being
 # authenticated and %u is replaced by the username of that user.
 # After expansion, AuthorizedKeysFile is taken to be an absolute
 # path or one relative to the user's home directory. The default
 # is ".ssh/authorized_keys".
 AuthorizedKeysFile %h/.ssh/authorized_keys

 # In some jurisdictions, sending a warning message before
 # authentication may be relevant for getting legal protection. The
 # contents of the specified file are sent to the remote user before
 # authentication is allowed. This option is only available for
 # protocol version 2.
 Banner /etc/issue

 # Specifies whether challenge response authentication is allowed.
 # All authentication styles from login.conf(5) are supported. The
 # default is "yes".
 ChallengeResponseAuthentication no

 # Specifies the ciphers allowed for protocol version 2. Multiple
 # ciphers must be comma-separated. The default is
 # "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
 # aes192-cbc,aes256-cbc"
 Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

 # Sets a timeout interval in seconds after which if no data has
 # been received from the client, sshd will send a message through
 # the encrypted channel to request a response from the client. The
 # default is 0, indicating that these messages will not be sent to
 # the client. This option applies to protocol version 2 only.
 ClientAliveInterval 0

 # Sets the number of client alive messages (see above) which may be
 # sent without sshd receiving any messages back from the client. If
 # this threshold is reached while client alive messages are being
 # sent, sshd will disconnect the client, terminating the session.
 # It is important to note that the use of client alive messages is
 # very different from KeepAlive (below). The client alive messages
 # are sent through the encrypted channel and therefore will not be
 # spoofable. The TCP keepalive option enabled by KeepAlive is
 # spoofable. The client alive mechanism is valuable when the client
 # or server depend on knowing when a connection has become
 # inactive.
 # The default value is 3. If ClientAliveInterval (above) is set to
 # 15, and ClientAliveCountMax is left at the default, unresponsive
 # ssh clients will be disconnected after approximately 45 seconds.
 ClientAliveCountMax 3

 # This keyword can be followed by a list of group name patterns,
 # separated by spaces. Login is disallowed for users whose primary
 # group or supplementary group list matches one of the patterns.
 # '*' and '?' can be used as wildcards in the patterns. Only group
 # names are valid; a numerical group ID is not recognized. By
 # default, login is allowed for all groups.
 #DenyGroups

 # This keyword can be followed by a list of user name patterns,
 # separated by spaces. Login is disallowed for user names that
 # match one of the patterns. '*' and '?' can be used as wildcards
 # in the patterns. Only user names are valid; a numerical user ID
 # is not recognized. By default, login is allowed for all users.
 # If the pattern takes the form USER@HOST then USER and HOST are
 # separately checked, restricting logins to particular users from
 # particular hosts.
 #DenyUsers

 # Specifies whether remote hosts are allowed to connect to ports
 # forwarded for the client. By default, sshd binds remote port
 # forwardings to the loopback addresss. This prevents other remote
 # hosts from connecting to forwarded ports. GatewayPorts can be
 # used to specify that sshd should bind remote port forwardings to
 # the wildcard address, thus allowing remote hosts to connect to
 # forwarded ports. The argument must be "yes" or "no". The
 # default is "no".
 GatewayPorts no

 # Specifies whether rhosts or /etc/hosts.equiv authentication
 # together with successful public key client host authentication is
 # allowed (hostbased authentication). This option is similar to
 # RhostsRSAAuthentication and applies to protocol version 2 only.
 # The default is "no".
 HostbasedAuthentication no

 # Specifies a file containing a private host key used by SSH. The
 # default is /etc/ssh/sshuser_key for protocol version 1, and
 # /etc/ssh/sshuser_rsa_key and /etc/ssh/sshuser_dsa_key for
 # protocol version 2. Note that sshd will refuse to use a file if
 # it is group/world-accessible. It is possible to have multiple
 # host key files. "rsa1" keys are used for version 1 and "dsa"
 # or "rsa" are used for version 2 of the SSH protocol.
 HostKey /etc/ssh/sshuser_rsa_key
 HostKey /etc/ssh/sshuser_dsa_key

 # Specifies that .rhosts and .shosts files will not be used in
 # RhostsAuthentication, RhostsRSAAuthentication or
 # HostbasedAuthentication.
 # /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The
 # default is "yes".
 IgnoreRhosts yes

 # Specifies whether sshd should ignore the user's
 # $HOME/.ssh/known_hosts during RhostsRSAAuthentication or
 # HostbasedAuthentication. The default is "no".
 IgnoreUserKnownHosts no

 # Specifies whether the system should send TCP keepalive messages
 # to the other side. If they are sent, death of the connection or
 # crash of one of the machines will be properly noticed. However,
 # this means that connections will die if the route is down
 # temporarily, and some people find it annoying. On the other
 # hand, if keepalives are not sent, sessions may hang indefinitely
 # on the server, leaving "ghost" users and consuming server
 # resources.
 # The default is "yes" (to send keepalives), and the server will
 # notice if the network goes down or the client host crashes. This
 # avoids infinitely hanging sessions.
 # To disable keepalives, the value should be set to "no".
 KeepAlive yes

 # Specifies whether Kerberos authentication is allowed. This can
 # be in the form of a Kerberos ticket, or if PasswordAuthentication
 # is yes, the password provided by the user will be validated
 # through the Kerberos KDC. To use this option, the server needs a
 # Kerberos servtab which allows the verification of the KDC's
 # identity. Default is "yes".
 #KerberosAuthentication

 # If set then if password authentication through Kerberos fails
 # then the password will be validated via any additional local
 # mechanism such as /etc/passwd. Default is "yes".
 #KerberosOrLocalPasswd

 # Specifies whether a Kerberos TGT may be forwarded to the server.
 # Default is "no", as this only works when the Kerberos KDC is
 # actually an AFS kaserver.
 #KerberosTgtPassing

 # Specifies whether to automatically destroy the user's ticket
 # cache file on logout. Default is "yes".
 #KerberosTicketCleanup

 # In protocol version 1, the ephemeral server key is automatically
 # regenerated after this many seconds (if it has been used). The
 # purpose of regeneration is to prevent decrypting captured
 # sessions by later breaking into the machine and stealing the
 # keys. The key is never stored anywhere. If the value is 0, the
 # key is never regenerated. The default is 3600 (seconds).
 #KeyRegenerationInterval

 # Specifies whether PAM challenge response authentication is
 # allowed. This allows the use of most PAM challenge response
 # authentication modules, but it will allow password authentication
 # regardless of whether PasswordAuthentication is disabled. The
 # default is "no".
 PAMAuthenticationViaKbdInt no
 # Specifies the port number that sshd listens on. The default is
 # 22. Multiple options of this type are permitted. See also
 # ListenAddress.
 Port 22

 # Specifies the local addresses sshd should listen on. The
 # following forms may be used:
 # ListenAddress hostIPv4_addrIPv6_addr
 # ListenAddress hostIPv4_addr:port
 # ListenAddress [hostIPv6_addr]:port
 # If port is not specified, sshd will listen on the address and all
 # prior Port options specified. The default is to listen on all
 # local addresses. Multiple ListenAddress options are permitted.
 # Additionally, any Port options must precede this option for non
 # port qualified addresses.
 ListenAddress 0.0.0.0

 # The server disconnects after this time if the user has not
 # successfully logged in. If the value is 0, there is no time
 # limit. The default is 600 (seconds).
 LoginGraceTime 60

 # Gives the verbosity level that is used when logging messages from
 # sshd. The possible values are: QUIET, FATAL, ERROR, INFO,
 # VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
 # DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
 # higher levels of debugging output. Logging with a DEBUG level
 # violates the privacy of users and is not recommended.
 LogLevel INFO

 # Specifies the available MAC (message authentication code)
 # algorithms. The MAC algorithm is used in protocol version 2 for
 # data integrity protection. Multiple algorithms must be comma-
 # separated. The default is "hmac-md5,hmac-sha1,hmac-
 # ripemd160,hmac-sha1-96,hmac-md5-96".
 MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

 # Specifies the maximum number of concurrent unauthenticated
 # connections to the sshd daemon. Additional connections will be
 # dropped until authentication succeeds or the LoginGraceTime
 # expires for a connection. The default is 10.
 # Alternatively, random early drop can be enabled by specifying the
 # three colon separated values "start:rate:full" (e.g.,
 # "10:30:60"). sshd will refuse connection attempts with a
 # probability of "rate/100" (30%) if there are currently
 # "start" (10) unauthenticated connections. The probability
 # increases linearly and all connection attempts are refused if the
 # number of unauthenticated connections reaches "full" (60).
 MaxStartups 10

 # Specifies whether password authentication is allowed. The
 # default is "yes".
 PasswordAuthentication yes

 # When password authentication is allowed, it specifies whether the
 # server allows login to accounts with empty password strings. The
 # default is "no".
 PermitEmptyPasswords no

 # Specifies whether root can login using ssh(1). The argument must
 # be "yes", "without-password", "forced-commands-only" or
 # "no". The default is "yes".
 # If this option is set to "without-password" password
 # authentication is disabled for root.
 # If this option is set to "forced-commands-only" root login with
 # public key authentication will be allowed, but only if the
 # command option has been specified (which may be useful for taking
 # remote backups even if root login is normally not allowed). All
 # other authentication methods are disabled for root.
 # If this option is set to "no" root is not allowed to login.
 PermitRootLogin forced-commands-only

 # Specifies the file that contains the process identifier of the
 # sshd daemon. The default is /var/run/sshd.pid.
 PidFile /etc/ssh/sshd.pid

 # Specifies whether sshd should print the date and time when the
 # user last logged in. The default is "yes".
 PrintLastLog yes

 # Specifies whether sshd should print /etc/motd when a user logs in
 # interactively. (On some systems it is also printed by the shell,
 # /etc/profile, or equivalent.) The default is "yes".
 PrintMotd yes

 # Specifies the protocol versions sshd should support. The
 # possible values are "1" and "2". Multiple versions must be
 # comma-separated. The default is "2,1".
 Protocol 2

 # Specifies whether public key authentication is allowed. The
 # default is "yes". Note that this option applies to protocol
 # version 2 only.
 PubkeyAuthentication yes

 # Specifies whether authentication using rhosts or /etc/hosts.equiv
 # files is sufficient. Normally, this method should not be
 # permitted because it is insecure. RhostsRSAAuthentication should
 # be used instead, because it performs RSA-based host
 # authentication in addition to normal rhosts or /etc/hosts.equiv
 # authentication. The default is "no". This option applies to
 # protocol version 1 only.
 #RhostsAuthentication

 # Specifies whether rhosts or /etc/hosts.equiv authentication
 # together with successful RSA host authentication is allowed. The
 # default is "no". This option applies to protocol version 1
 # only.
 #RhostsRSAAuthentication

 # Specifies whether pure RSA authentication is allowed. The
 # default is "yes". This option applies to protocol version 1
 # only.
 #RSAAuthentication

 # Defines the number of bits in the ephemeral protocol version 1
 # server key. The minimum value is 512, and the default is 768.
 #ServerKeyBits

 # Specifies whether sshd should check file modes and ownership of
 # the user's files and home directory before accepting login. This
 # is normally desirable because novices sometimes accidentally
 # leave their directory or files world-writable. The default is
 # "yes".
 StrictModes yes

 # Configures an external subsystem (e.g., file transfer daemon).
 # Arguments should be a subsystem name and a command to execute
 # upon subsystem request. The command sftp-server(8) implements
 # the "sftp" file transfer subsystem. By default no subsystems
 # are defined. Note that this option applies to protocol version 2
 # only.Subsystem sftp /opt/corp/local/openSSH/sbin/sftp-server

 # Gives the facility code that is used when logging messages from
 # sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0,
 # LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
 # default is AUTH.
 SyslogFacility AUTH

 # Specifies whether login(1) is used for interactive login
 # sessions. The default is "no". Note that login(1) is never
 # used for remote command execution. Note also, that if this is
 # enabled, X11Forwarding will be disabled because login(1) does not
 # know how to handle xauth(1) cookies.
 UseLogin no

 # Specifies whether sshd should try to verify the remote host name
 # and check that the resolved host name for the remote IP address
 # maps back to the very same IP address. The default is "no".
 VerifyReverseMapping no

 # Specifies the first display number available for sshd's X11
 # forwarding. This prevents sshd from interfering with real X11
 # servers. The default is 10.
 X11DisplayOffset 10

 # Specifies whether X11 forwarding is permitted. The default is
 # "no". Note that disabling X11 forwarding does not improve
 # security in any way, as users can always install their own
 # forwarders. X11 forwarding is automatically disabled if UseLogin
 # is enabled.
 X11Forwarding no

 # Specifies whether sshd should bind the X11 forwarding server to
 # the loopback address or to the wildcard address. By default,
 # sshd binds the forwarding server to the loopback address and sets
 # the hostname part of the DISPLAY environment variable to
 # "localhost". This prevents remote hosts from connecting to the
 # fake display. However, some older X11 clients may not function
 # with this configuration. X11UseLocalhost may be set to "no" to
 # specify that the forwarding server should be bound to the
 # wildcard address. The argument must be "yes" or "no". The
 # default is "yes".
 X11UseLocalhost yes

 # Specifies the location of the xauth(1) program. The default is
 # /usr/bin/X11/xauth.
 XAuthLocation /usr/bin/X11/xauth