#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

AllowUsers 

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1

# Using this single file name for all key types because right now
# We only allow one key type at a time.
HostKey /flash0/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /flash0/ssh/ssh_host_rsa_key
#HostKey /flash0/ssh/ssh_host_dsa_key
#HostKey /flash0/ssh/ssh_host_ecdsa_key
#HostKey /flash0/ssh/ssh_host_ed25519_key

# Same here, one file name for all key types
HostKey /flash0/ssh/ssh_host_x509_key

#HostKey /flash0/ssh/ssh_host_x509_rsa_key
#HostKey /flash0/ssh/ssh_host_x509_dsa_key
#HostKey /flash0/ssh/ssh_host_x509_ecdsa_key

# "key type names" for X.509 certificates with EC key
# Note first defined is used in signature operations!
X509KeyAlgorithm x509v3-ecdsa-sha2-nistp256,sha256,ecdsa-sha2-nistp256
X509KeyAlgorithm x509v3-ecdsa-sha2-nistp384,sha384,ecdsa-sha2-nistp384
X509KeyAlgorithm x509v3-ecdsa-sha2-nistp521,sha512,ecdsa-sha2-nistp521

# "key type names" for X.509 certificates with RSA key
# Note first defined is used in signature operations!
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5

# "key type names" for X.509 certificates with DSA key
# Note first defined is used in signature operations!
X509KeyAlgorithm x509v3-sign-dss,dss-asn1
#X509KeyAlgorithm x509v3-sign-dss,dss-raw

# The intended use for the X509 client certificate. Without this option
# no chain verification will be done. Currently accepted uses are case
# insensitive:
#  - "sslclient", "SSL client", "SSL_client" or "client"
#  - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
#  - "skip" or ""(empty): don`t check purpose.
AllowedCertPurpose sslclient

# Specifies whether self-issued(self-signed) X.509 certificate can be
# allowed only by entry in AutorizedKeysFile that contain matching
# public key or certificate blob.
#KeyAllowSelfIssued no

# Specifies whether CRL must present in store for all certificates in
# certificate chain with atribute "cRLDistributionPoints"
#MandatoryCRL no

# A file with multiple certificates of certificate signers
# in PEM format concatenated together.
#CACertificateFile /flash0/cert/ca/ca-bundle.crt

# A directory with certificates of certificate signers.
# The certificates should have name of the form: [HASH].[NUMBER]
# or have symbolic links to them of this form.
CACertificatePath /flash0/cert/ca

# A file with multiple CRL of certificate signers
# in PEM format concatenated together.
#CARevocationFile /flash0/cert/ca/ca-bundle.crl

# A directory with CRL of certificate signers.
# The CRL should have name of the form: [HASH].r[NUMBER]
# or have symbolic links to them of this form.
CARevocationPath /flash0/cert/ca

# LDAP protocol version.
# Example:
# CAldapVersion 2

# Note because of OpenSSH options parser limitation
# use %3D instead of = !
# LDAP initialization may require URL to be escaped, i.e.
# use %2C instead of ,(comma). Escaped URL don't depend from
# LDAP initialization method.
# Example:
# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom

# SSH can use "Online Certificate Status Protocol"(OCSP)
# to validate certificate. Set VAType to
#  - none    : do not use OCSP to validate certificates;
#  - ocspcert: validate only certificates that specify `OCSP
#      Service Locator' URL;
#  - ocspspec: use specified in the configuration 'OCSP Responder'
#      to validate all certificates.
VAType none

# VAOCSPResponderURL ‘Access Location’ / ‘OCSP Service Locator’ URL of the OCSP provider. 
# In use when VAType is set to “ocspspec”.
#VAOCSPResponderURL

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
# Log level defaults to error so we can capture connection
# attempts to the security log.
LogLevel error

# Authentication:

# User configurable via the SAOS CLI
LoginGraceTime 2m
#  Changed to no for enhanced security
PermitRootLogin no
# User configurable via the SAOS CLI
StrictModes no
MaxAuthTries 3
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      /flash0/ssh/users/%u.pub

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /flash0/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes

# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes

#############################################################################
# These were added for JITC functionality
# By default TCP Keepalive is on
TCPKeepAlive yes

# Specifies the maximum amount of data that may be transmitted before the
# the session key is renegotiated. The default is 1G or 4G depending upon
# the cipher.  The optional second value is time value.
RekeyLimit default none

# Sets a timeout interval in seconds after which if no data has been
# received from the client, sshd will send a message to request a response.
# The openSSH default is 0.
ClientAliveInterval 0

# Sets the number of client alive messages which may be sent without the
# sshd receiving any messages back from the client.  If threshold is reached
# sshd will disconnect the client, terminating the session.  The openSSH 
# default is 3.
# The setting of 0 with a ClientAliveInterval of 60, the SSH session will be 
# terminated with no keep alive message being sent.
ClientAliveCountMax 0

# Specifies whether TCP forwarding is permitted.  The available
# options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to
# prevent all TCP forwarding, ``local'' to allow local (from the
# perspective of ssh(1)) forwarding only or ``remote'' to allow
# remote forwarding only.  The default is ``yes''.  JITC mode
# will set this to no.
AllowTcpForwarding yes

# Specifies the available KEX (Key Exchange) algorithms.
# Multiple algorithms must be comma-separated.
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# Specifies the ciphers allowed for protocol version 2.  Multiple
# ciphers must be comma-separated.
# The default is to support all including the CBC ciphers.
# JITC requires that CBC ciphers not be supported so they are
# removed while in JITC mode.  This is what is supported in JITC mode
# These ciphers require openSSH to be built with this OPENSSL_HAVE_EVPGCM - we currently don't do this
# so these are not included in the JITC default
# aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

# Specifies the MACs allowed for protocol version 2.  Multiple
# macs must be comma-separated.
# The default is to support all including the CBC ciphers.
# JITC requires that MD5 96-bit algorithms not be supported so they are
# removed while in JITC mode.  This is what is supported in JITC mode
MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96

# Specifies the key types that will be accepted for public key
# authentication as a comma-separated pattern list.
#PubkeyAcceptedKeyTypes ssh-dss,ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

# Specifies the public key algorithms that will be accepted. 
AcceptedAlgorithms ssh-dss,ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

# Specifies the maximum number of open sessions permitted per
# network connection.  The default is 10.  JITC mode requires
# that only (1) session be supported.
MaxSessions 10

#############################################################################

#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# default banner path
Banner /etc/issue.ssh

# override default of no subsystems
# JE-47616: "-l INFO" logs sftp transfer activity (among other things)
Subsystem	sftp	/usr/libexec/sftp-server -l INFO
Subsystem	netconf	/usr/sbin/netconf-subsystem-pro

# adding two factor authentication
#Match User 
#AuthenticationMethods publickey,keyboard-interactive publickey,password

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
IPQoS none
