Appendix: Configuration Files
This section contains examples of server and client configuration files.
Server Configuration Files
This section contains examples of server configuration files that you can use in your environment.
DMZ-Bastion Host Server
The following is an example of the DMZ-bastion host server Secure Shell configuration file:
# Protocol and server operation Compression yes KeepAlive yes MaxStartups 10 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key Protocol 2 Port 22 # If using OpenSSH UseLogin no UsePrivilegeSeparation no # Authentication # Only allow public key based authentication. No passwords. DSAAuthentication yes LoginGraceTime 60 PAMAuthenticationViaKBDInt yes PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin no PubKeyAuthentication yes # User environment AllowTCPForwarding no Banner /etc/issue CheckMail no GatewayPorts no PrintMotd no StrictModes yes X11Forwarding no
Legacy Support
The following is an example of the Secure Shell server configuration file with legacy support.
# Protocol and server operation Compression yes KeepAlive yes MaxStartups 10 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Enable protocol 1 but default to protocol 2. Protocol 2,1 Port 22 # If using OpenSSH UseLogin no UsePrivilegeSeparation no # Authentication DSAAuthentication yes LoginGraceTime 60 PAMAuthenticationViaKBDInt yes PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PubKeyAuthentication yes # User environment AllowTCPForwarding yes Banner /etc/issue CheckMail no GatewayPorts no PrintMotd no StrictModes yes X11DisplayOffset 10 X11Forwarding yes XAuthLocation /usr/X/bin/xauth # Legacy support options - protocol 1 HostKey /etc/ssh/ssh_host_key IgnoreRhosts yes IgnoreUserKnownHosts yes KeyRegenerationInterval 1800 RhostsAuthentication no RhostsRSAAuthentication no
Workstation Server
The following is an example of the Secure Shell workstation server configuration file:
# Protocol and server operation Compression yes KeepAlive yes MaxStartups 10 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key Protocol 2 Port 22 # If using OpenSSH UseLogin no UsePrivilegeSeparation no # Authentication DSAAuthentication yes LoginGraceTime 60 PAMAuthenticationViaKBDInt yes PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PubKeyAuthentication yes # User environment AllowTCPForwarding yes Banner /etc/issue CheckMail no GatewayPorts no PrintMotd no StrictModes yes X11DisplayOffset 10 X11Forwarding yes XAuthLocation /usr/X/bin/xauth
Client Configurations
This section contains examples of the client configuration files for remote workers and client workstations.
Remote Worker Configuration File
The following is an example of the Secure Shell user configuration file for remote workers.
# nickname for bastion host Host work Hostname dmz.someplace.com Port 2929 User max # Defaults - must login via an identity key using only protocol 2. Host * CheckHostIP yes Compression yes CompressionLevel 9 ConnectionAttempts 3 DSAAuthentication yes FallBackToRsh no ForwardAgent no ForwardX11 yes GatewayPorts no KeepAlive yes LocalForward 8080 intranet.extremefoosticks.com:80 PasswordAuthentication no Protocol 2 PubkeyAuthentication yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication no StrictHostKeyChecking yes UsePriviledgedPort no UseRsh no XAuthLocation /usr/X/bin/xauth
Workstation Configuration File
The following is an example of the Secure Shell user configuration file for a workstation.
# nickname for remote server Host server HostName server.faroff.corp # remote host needing a network proxy to access. Host remote HostName remote.otherplace.org User pablo ProxyCommand /usr/lib/ssh/ssh-socks5-proxy-connect -h socks.server -p 1080 remote.otherplace.org 22 # Defaults Host * CheckHostIP yes Compression yes CompressionLevel 6 FallBackToRsh no ForwardAgent no ForwardX11 yes GatewayPorts no KeepAlive yes PasswordAuthentication yes Protocol 2 StrictHostKeyChecking ask UseRsh no XAuthLocation /usr/X/bin/xauth