93 lines
2.5 KiB
Text
93 lines
2.5 KiB
Text
# -*- coding: utf-8; mode: python -*-
|
|
|
|
include("mode/space")
|
|
|
|
header("Configuration du serveur ssh")
|
|
|
|
@# What ports, IPs and protocols we listen for
|
|
@Port 22
|
|
@# Use these options to restrict which interfaces/protocols sshd will bind to
|
|
@#ListenAddress ::
|
|
@#ListenAddress 0.0.0.0
|
|
@Protocol 2
|
|
@# HostKeys for protocol version 2
|
|
@HostKey /etc/ssh/ssh_host_rsa_key
|
|
@HostKey /etc/ssh/ssh_host_dsa_key
|
|
@HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
@#Privilege Separation is turned on for security
|
|
@UsePrivilegeSeparation yes
|
|
|
|
@# Lifetime and size of ephemeral version 1 server key
|
|
@KeyRegenerationInterval 3600
|
|
@ServerKeyBits 1024
|
|
|
|
@# Logging
|
|
@SyslogFacility AUTH
|
|
@LogLevel INFO
|
|
|
|
@# Authentication:
|
|
@LoginGraceTime 120
|
|
@PermitRootLogin yes
|
|
@StrictModes yes
|
|
|
|
@RSAAuthentication yes
|
|
@PubkeyAuthentication yes
|
|
if has("owncloud"):
|
|
@AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys
|
|
else:
|
|
@#AuthorizedKeysFile %h/.ssh/authorized_keys
|
|
|
|
@# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
@IgnoreRhosts yes
|
|
@# For this to work you will also need host keys in /etc/ssh_known_hosts
|
|
@RhostsRSAAuthentication no
|
|
@# similar for protocol version 2
|
|
@HostbasedAuthentication no
|
|
@# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
|
@#IgnoreUserKnownHosts yes
|
|
|
|
@# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
|
@PermitEmptyPasswords no
|
|
|
|
@# Change to yes to enable challenge-response passwords (beware issues with
|
|
@# some PAM modules and threads)
|
|
@ChallengeResponseAuthentication yes
|
|
|
|
@# Change to no to disable tunnelled clear text passwords
|
|
@PasswordAuthentication no
|
|
|
|
@# Kerberos options
|
|
@#KerberosAuthentication no
|
|
@#KerberosGetAFSToken no
|
|
@#KerberosOrLocalPasswd yes
|
|
@#KerberosTicketCleanup yes
|
|
|
|
@# GSSAPI options
|
|
@#GSSAPIAuthentication no
|
|
@#GSSAPICleanupCredentials yes
|
|
|
|
%X11Forwarding yesno(has("users") or has("2B"))
|
|
@X11DisplayOffset 10
|
|
@PrintMotd no
|
|
@PrintLastLog yes
|
|
@TCPKeepAlive yes
|
|
@#UseLogin no
|
|
|
|
@#MaxStartups 10:30:60
|
|
@#Banner /etc/issue.net
|
|
|
|
@# Allow client to pass locale environment variables
|
|
@AcceptEnv LANG LC_*
|
|
|
|
@Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
@UsePAM yes
|
|
|
|
@UseDNS yes
|
|
if has("owncloud"):
|
|
@#Owncloud doit laisser accès à l'ensemble des utilisateurs pour
|
|
@#faire un mount sshfs (sinon les fichiers ajoutés n'appartiennent
|
|
@#pas au bon utilisateur, mais on ne veut pas qu'ils puissent faire
|
|
@#quoi que ce soit sur la machine.
|
|
@Match Group !adm,!apprentis,* Address !127.0.0.1,*
|
|
@ ForceCommand /bin/false
|