aix:aix_secure_os
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
aix:aix_secure_os [2025/09/02 15:11] manu |
aix:aix_secure_os [2025/09/02 15:17] (current) manu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ===== SSH ===== | ||
| + | /etc/ssh/sshd_config | ||
| + | <code> | ||
| + | # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ | ||
| + | |||
| + | # This is the sshd server system-wide configuration file. See | ||
| + | # sshd_config(5) for more information. | ||
| + | |||
| + | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
| + | |||
| + | # The strategy used for options in the default sshd_config shipped with | ||
| + | # OpenSSH is to specify options with their default value where | ||
| + | # possible, but leave them commented. Uncommented options override the | ||
| + | # default value. | ||
| + | |||
| + | Port 22 | ||
| + | #AddressFamily any | ||
| + | ListenAddress 0.0.0.0 | ||
| + | #ListenAddress :: | ||
| + | |||
| + | #HostKey /etc/ssh/ssh_host_rsa_key | ||
| + | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
| + | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
| + | |||
| + | # Ciphers and keying | ||
| + | #RekeyLimit default none | ||
| + | #RekeyLimit 1G 3600 | ||
| + | |||
| + | # Logging | ||
| + | SyslogFacility AUTH | ||
| + | LogLevel INFO | ||
| + | |||
| + | # Authentication: | ||
| + | |||
| + | #LoginGraceTime 2m | ||
| + | PermitRootLogin yes | ||
| + | #StrictModes yes | ||
| + | MaxAuthTries 4 | ||
| + | #MaxSessions 10 | ||
| + | |||
| + | #PubkeyAuthentication yes | ||
| + | |||
| + | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
| + | # but this is overridden so installations will only check .ssh/authorized_keys | ||
| + | AuthorizedKeysFile .ssh/authorized_keys | ||
| + | |||
| + | #AuthorizedPrincipalsFile none | ||
| + | |||
| + | #AuthorizedKeysCommand none | ||
| + | #AuthorizedKeysCommandUser nobody | ||
| + | |||
| + | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
| + | HostbasedAuthentication no | ||
| + | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
| + | # HostbasedAuthentication | ||
| + | #IgnoreUserKnownHosts no | ||
| + | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
| + | IgnoreRhosts yes | ||
| + | |||
| + | # To disable tunneled clear text passwords, change to no here! | ||
| + | PasswordAuthentication yes | ||
| + | PermitEmptyPasswords no | ||
| + | |||
| + | # Change to no to disable s/key passwords | ||
| + | #KbdInteractiveAuthentication yes | ||
| + | |||
| + | # Kerberos options | ||
| + | #KerberosAuthentication no | ||
| + | #KerberosOrLocalPasswd yes | ||
| + | #KerberosTicketCleanup yes | ||
| + | #KerberosGetAFSToken no | ||
| + | |||
| + | # GSSAPI options | ||
| + | #GSSAPIAuthentication no | ||
| + | #GSSAPICleanupCredentials yes | ||
| + | |||
| + | #GSSAPIStrictAcceptorCheck yes | ||
| + | #GSSAPIKeyExchange no | ||
| + | |||
| + | Ciphers -chacha20-poly1305@openssh.com | ||
| + | MACs -*md5*,*sha1,*sha1-*,*-64,*-64-*,umac-64@openssh.com,*-96 | ||
| + | KexAlgorithms -diffie-hellman-group*sha1 | ||
| + | |||
| + | # Set this to 'yes' to enable PAM authentication, account processing, | ||
| + | # and session processing. If this is enabled, PAM authentication will | ||
| + | # be allowed through the KbdInteractiveAuthentication and | ||
| + | # PasswordAuthentication. Depending on your PAM configuration, | ||
| + | # PAM authentication via KbdInteractiveAuthentication may bypass | ||
| + | # the setting of "PermitRootLogin prohibit-password". | ||
| + | # If you just want the PAM account and session checks to run without | ||
| + | # PAM authentication, then enable this but set PasswordAuthentication | ||
| + | # and KbdInteractiveAuthentication to 'no'. | ||
| + | UsePAM yes | ||
| + | |||
| + | #AllowAgentForwarding yes | ||
| + | #AllowTcpForwarding yes | ||
| + | #GatewayPorts no | ||
| + | #X11Forwarding no | ||
| + | #X11DisplayOffset 10 | ||
| + | #X11UseLocalhost yes | ||
| + | #PermitTTY yes | ||
| + | #PrintMotd yes | ||
| + | #PrintLastLog yes | ||
| + | #TCPKeepAlive yes | ||
| + | PermitUserEnvironment no | ||
| + | #Compression delayed | ||
| + | #ClientAliveInterval 0 | ||
| + | #ClientAliveCountMax 3 | ||
| + | #UseDNS no | ||
| + | PidFile /var/run/sshd.pid | ||
| + | #MaxStartups 10:30:100 | ||
| + | #PermitTunnel no | ||
| + | #ChrootDirectory none | ||
| + | #VersionAddendum none | ||
| + | |||
| + | # no default banner path | ||
| + | Banner /etc/ssh/ssh_banner | ||
| + | |||
| + | # override default of no subsystems | ||
| + | Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l INFO | ||
| + | |||
| + | # Example of overriding settings on a per-user basis | ||
| + | #Match User anoncvs | ||
| + | # X11Forwarding no | ||
| + | # AllowTcpForwarding no | ||
| + | # PermitTTY no | ||
| + | # ForceCommand cvs server | ||
| + | |||
| + | DenyGroups adm,uucp,mail,printq,invscout,snapp,perf,ipsec,sshd,nobody,smmsp,zabbix,ldap | ||
| + | </code> | ||
| + | |||
| + | ===== NFS ===== | ||
| Start NFS daemon, by default only NFSv4 without RPC | Start NFS daemon, by default only NFSv4 without RPC | ||
aix/aix_secure_os.1756818693.txt.gz ยท Last modified: 2025/09/02 15:11 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
