Created
August 29, 2016 01:53
-
-
Save cliff-wakefield/d65c3405634d1e1014fa698f4d316e7e to your computer and use it in GitHub Desktop.
sshd_config diff Ubuntu 16.04 default vs module configured
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# diff /tmp/sshd_config.bak /etc/ssh/sshd_config | |
1,2c1,2 | |
< # Package generated configuration file | |
< # See the sshd_config(5) manpage for details | |
--- | |
> # This file is being maintained by Puppet. | |
> # DO NOT EDIT | |
4c4,16 | |
< # What ports, IPs and protocols we listen for | |
--- | |
> # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ | |
> | |
> # This is the sshd server system-wide configuration file. See | |
> # sshd_config(5) for more information. | |
> | |
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin | |
> | |
> # The strategy used for options in the default sshd_config shipped with | |
> # OpenSSH is to specify options with their default value where | |
> # possible, but leave them commented. Uncommented options change a | |
> # default value. | |
> | |
> #Port 22 | |
6,8c18 | |
< # Use these options to restrict which interfaces/protocols sshd will bind to | |
< #ListenAddress :: | |
< #ListenAddress 0.0.0.0 | |
--- | |
> #Protocol 2,1 | |
9a20,24 | |
> #AddressFamily any | |
> AddressFamily any | |
> | |
> # HostKey for protocol version 1 | |
> #HostKey /etc/ssh/ssh_host_key | |
10a26,27 | |
> #HostKey /etc/ssh/ssh_host_rsa_key | |
> #HostKey /etc/ssh/ssh_host_dsa_key | |
15,16d31 | |
< #Privilege Separation is turned on for security | |
< UsePrivilegeSeparation yes | |
19c34,35 | |
< KeyRegenerationInterval 3600 | |
--- | |
> #KeyRegenerationInterval 1h | |
> #ServerKeyBits 1024 | |
21d36 | |
< | |
22a38,39 | |
> # obsoletes QuietMode and FascistLogging | |
> #SyslogFacility AUTH | |
23a41 | |
> #LogLevel INFO | |
26a45,46 | |
> | |
> #LoginGraceTime 120 | |
28c48,50 | |
< PermitRootLogin prohibit-password | |
--- | |
> #PermitRootLogin yes | |
> PermitRootLogin no | |
> #StrictModes yes | |
29a52 | |
> #MaxAuthTries 6 | |
31c54,55 | |
< RSAAuthentication yes | |
--- | |
> #RSAAuthentication yes | |
> #PubkeyAuthentication yes | |
33c57 | |
< #AuthorizedKeysFile %h/.ssh/authorized_keys | |
--- | |
> #AuthorizedKeysFile .ssh/authorized_keys | |
35,38c59,60 | |
< # Don't read the user's ~/.rhosts and ~/.shosts files | |
< IgnoreRhosts yes | |
< # For this to work you will also need host keys in /etc/ssh_known_hosts | |
< RhostsRSAAuthentication no | |
--- | |
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
> #RhostsRSAAuthentication no | |
39a62 | |
> #HostbasedAuthentication no | |
41,49c64,70 | |
< # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
< #IgnoreUserKnownHosts yes | |
< | |
< # To enable empty passwords, change to yes (NOT RECOMMENDED) | |
< PermitEmptyPasswords no | |
< | |
< # Change to yes to enable challenge-response passwords (beware issues with | |
< # some PAM modules and threads) | |
< ChallengeResponseAuthentication no | |
--- | |
> # Change to yes if you don't trust ~/.ssh/known_hosts for | |
> # RhostsRSAAuthentication and HostbasedAuthentication | |
> #IgnoreUserKnownHosts no | |
> IgnoreUserKnownHosts no | |
> # Don't read the user's ~/.rhosts and ~/.shosts files | |
> #IgnoreRhosts yes | |
> IgnoreRhosts yes | |
51,52c72,79 | |
< # Change to no to disable tunnelled clear text passwords | |
< PasswordAuthentication no | |
--- | |
> # To disable tunneled clear text passwords, change to no here! | |
> #PasswordAuthentication yes | |
> PasswordAuthentication yes | |
> #PermitEmptyPasswords no | |
> | |
> # Change to no to disable s/key passwords | |
> #ChallengeResponseAuthentication yes | |
> ChallengeResponseAuthentication yes | |
55,56d81 | |
< #KerberosAuthentication no | |
< #KerberosGetAFSToken no | |
58a84 | |
> #KerberosGetAFSToken no | |
61a88 | |
> GSSAPIAuthentication yes | |
62a90,101 | |
> GSSAPICleanupCredentials yes | |
> | |
> # Set this to 'yes' to enable PAM authentication, account processing, | |
> # and session processing. If this is enabled, PAM authentication will | |
> # be allowed through the ChallengeResponseAuthentication mechanism. | |
> # Depending on your PAM configuration, this may bypass the setting of | |
> # PasswordAuthentication, PermitEmptyPasswords, and | |
> # "PermitRootLogin without-password". If you just want the PAM account and | |
> # session checks to run without PAM authentication, then enable this but set | |
> # ChallengeResponseAuthentication=no | |
> #UsePAM no | |
> UsePAM yes | |
63a103,110 | |
> # Accept locale-related environment variables | |
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |
> AcceptEnv LC_IDENTIFICATION LC_ALL | |
> #AllowTcpForwarding yes | |
> AllowTcpForwarding yes | |
> #GatewayPorts no | |
> #X11Forwarding no | |
65,67c112,117 | |
< X11DisplayOffset 10 | |
< PrintMotd no | |
< PrintLastLog yes | |
--- | |
> #X11DisplayOffset 10 | |
> #X11UseLocalhost yes | |
> #PrintMotd yes | |
> PrintMotd yes | |
> #PrintLastLog yes | |
> #TCPKeepAlive yes | |
69a120,138 | |
> #UsePrivilegeSeparation yes | |
> #PermitUserEnvironment no | |
> #Compression delayed | |
> #ClientAliveInterval 0 | |
> ClientAliveInterval 0 | |
> ClientAliveCountMax 3 | |
> #ShowPatchLevel no | |
> #UseDNS yes | |
> UseDNS yes | |
> #PidFile /var/run/sshd.pid | |
> #MaxStartups 10:30:100 | |
> #MaxSessions 10 | |
> | |
> #PermitTunnel no | |
> #ChrootDirectory none | |
> | |
> # no default banner path | |
> #Banner none | |
> Banner none | |
71,76c140 | |
< #MaxStartups 10:30:60 | |
< #Banner /etc/issue.net | |
< | |
< # Allow client to pass locale environment variables | |
< AcceptEnv LANG LC_* | |
< | |
--- | |
> # override default of no subsystems | |
79,88d142 | |
< # Set this to 'yes' to enable PAM authentication, account processing, | |
< # and session processing. If this is enabled, PAM authentication will | |
< # be allowed through the ChallengeResponseAuthentication and | |
< # PasswordAuthentication. Depending on your PAM configuration, | |
< # PAM authentication via ChallengeResponseAuthentication may bypass | |
< # the setting of "PermitRootLogin without-password". | |
< # If you just want the PAM account and session checks to run without | |
< # PAM authentication, then enable this but set PasswordAuthentication | |
< # and ChallengeResponseAuthentication to 'no'. | |
< UsePAM yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment