1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
server:
listen_address: 127.0.0.1:2022
# Host private key files.
# If unspecified, null or empty, an RSA, ECDSA and Ed25519 key will be generated and stored.
host_keys: null
# Fake internal services for handling direct-tcpip channels (`ssh -L`).
# If unspecified or null, sensible defaults will be used.
# If empty, no direct-tcpip channels will be accepted.
tcpip_services:
25: SMTP
80: HTTP
110: POP3
587: SMTP
8080: HTTP
logging:
# The log file to output activity logs to. Debug and error logs are still written to standard error.
# If unspecified or null, activity logs are written to standard out.
file: null
# Make activity logs JSON-formatted instead of human readable.
json: false
# Include timestamps in the logs.
timestamps: true
# Log full raw details of all global requests, channels and channel requests.
debug: false
# Address to export and serve prometheus metrics on.
# If unspecified or null, metrics are not served.
metrics_address: null
# When logging in JSON, log addresses as objects including the hostname and the port instead of strings.
split_host_port: false
auth:
# Allow clients to connect without authenticating.
no_auth: false
# The maximum number of authentication attempts permitted per connection.
# If set to a negative number, the number of attempts are unlimited.
# If unspecified, null or zero, a sensible default is used.
max_tries: 0
password_auth:
# Offer password authentication as an authentication option.
enabled: true
# Accept all passwords.
accepted: true
public_key_auth:
# Offer public key authentication as an authentication option.
enabled: true
# Accept all public keys.
accepted: false
keyboard_interactive_auth:
# Offer keyboard interactive authentication as an authentication option.
enabled: false
# Accept all keyboard interactive answers.
accepted: false
# Instruction for the keyboard interactive authentication.
instruction: Answer these weird questions to log in!
questions:
- text: "User: " # Keyboard interactive authentication question text.
echo: true # Enable echoing the answer.
- text: "Password: "
echo: false
ssh_proto:
# The version identification string to announce in the public handshake.
# If unspecified or null, a reasonable default is used.
# Note that RFC 4253 section 4.2 requires that this string start with "SSH-2.0-".
version: SSH-2.0-sshesame
# Sent to the client after key exchange completed but before authentication.
# If unspecified or null, a reasonable default is used.
# If empty, no banner is sent.
banner: This is an SSH honeypot. Everything is logged and monitored.
# The maximum number of bytes sent or received after which a new key is negotiated. It must be at least 256.
# If unspecified, null or 0, a size suitable for the chosen cipher is used.
rekey_threshold: 0
# The allowed key exchanges algorithms.
# If unspecified or null, a default set of algorithms is used.
key_exchanges: null
# The allowed cipher algorithms.
# If unspecified or null, a sensible default is used.
ciphers: null
# The allowed MAC algorithms.
# If unspecified or null, a sensible default is used.
macs: null
|