|
1 | | -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ |
2 | | - |
3 | | -# This is the sshd server system-wide configuration file. See |
4 | | -# sshd_config(5) for more information. |
5 | | - |
6 | | -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
7 | | - |
8 | | -# The strategy used for options in the default sshd_config shipped with |
9 | | -# OpenSSH is to specify options with their default value where |
10 | | -# possible, but leave them commented. Uncommented options override the |
11 | | -# default value. |
12 | | - |
13 | | -Include /etc/ssh/sshd_config.d/*.conf |
14 | | - |
| 1 | +# sshd still runs as root for chroot functionality, but |
| 2 | +# we listen on a non-privileged port anyway. This matches |
| 3 | +# the recommended port we expose in the helm chart. |
15 | 4 | Port 2222 |
16 | | -#AddressFamily any |
17 | | -#ListenAddress 0.0.0.0 |
18 | | -#ListenAddress :: |
19 | 5 |
|
20 | 6 | # This file is assumed to be mounted to the Docker container |
21 | 7 | HostKey /etc/jupyterhub-sftp/config/hostKey |
22 | 8 |
|
23 | | -# Ciphers and keying |
24 | | -#RekeyLimit default none |
25 | | - |
26 | | -# Logging |
27 | | -#SyslogFacility AUTH |
28 | | -#LogLevel INFO |
29 | | - |
30 | | -# Authentication: |
31 | | - |
32 | | -#LoginGraceTime 2m |
33 | | -#PermitRootLogin prohibit-password |
34 | | -#StrictModes yes |
35 | | -#MaxAuthTries 6 |
36 | | -#MaxSessions 10 |
37 | | - |
38 | 9 | # Only allow password auth, BECAUSE WE ARE EVIL HAHA |
| 10 | +# But also because users log in with their jupyterhub tokens |
39 | 11 | PubkeyAuthentication no |
40 | | - |
41 | | -# To disable tunneled clear text passwords, change to no here! |
42 | 12 | PasswordAuthentication yes |
| 13 | + |
| 14 | +# Passwords are jupyterhub Auth tokens, so they can't be empty |
43 | 15 | PermitEmptyPasswords no |
44 | 16 |
|
45 | | -# Change to yes to enable challenge-response passwords (beware issues with |
46 | | -# some PAM modules and threads) |
| 17 | +# FIXME: I'm not sure what to do with this one |
47 | 18 | ChallengeResponseAuthentication no |
48 | 19 |
|
49 | | -# Set this to 'yes' to enable PAM authentication, account processing, |
50 | | -# and session processing. If this is enabled, PAM authentication will |
51 | | -# be allowed through the ChallengeResponseAuthentication and |
52 | | -# PasswordAuthentication. Depending on your PAM configuration, |
53 | | -# PAM authentication via ChallengeResponseAuthentication may bypass |
54 | | -# the setting of "PermitRootLogin without-password". |
55 | | -# If you just want the PAM account and session checks to run without |
56 | | -# PAM authentication, then enable this but set PasswordAuthentication |
57 | | -# and ChallengeResponseAuthentication to 'no'. |
| 20 | +# Our custom PAM module (pam_exec) calls jupyterhub-token-verify.py to |
| 21 | +# authenticate with a JupyterHub token. |
58 | 22 | UsePAM yes |
59 | 23 |
|
60 | | -# We really only want sftp |
| 24 | +# Explicitly turn off all features of sshd we won't use |
61 | 25 | AllowAgentForwarding No |
62 | 26 | AllowTcpForwarding no |
63 | 27 | GatewayPorts no |
64 | 28 | X11Forwarding no |
65 | 29 | PermitTTY no |
66 | 30 | PrintMotd no |
67 | 31 | PrintLastLog no |
68 | | -TCPKeepAlive yes |
69 | 32 | PermitUserEnvironment no |
70 | 33 | PermitTunnel no |
71 | 34 |
|
72 | | -# no default banner path |
73 | | -#Banner none |
| 35 | +# Use heartbeat packets to terminate 'stuck' connections |
| 36 | +# https://man.openbsd.org/sshd_config#TCPKeepAlive |
| 37 | +TCPKeepAlive yes |
74 | 38 |
|
75 | 39 | # Use the built-in internal-sftp setup, rather than shelling out to sftp-server |
76 | 40 | Subsystem sftp internal-sftp |
|
0 commit comments