1# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ 2# $FreeBSD: head/crypto/openssh/sshd_config 215116 2010-11-11 11:46:19Z des $
| 1# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ 2# $FreeBSD: head/crypto/openssh/sshd_config 221420 2011-05-04 07:34:44Z des $
|
3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 9# The strategy used for options in the default sshd_config shipped with 10# OpenSSH is to specify options with their default value where 11# possible, but leave them commented. Uncommented options change a 12# default value. 13 14# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15# FreeBSD has a few additional options. 16
| 3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 9# The strategy used for options in the default sshd_config shipped with 10# OpenSSH is to specify options with their default value where 11# possible, but leave them commented. Uncommented options change a 12# default value. 13 14# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15# FreeBSD has a few additional options. 16
|
17#VersionAddendum FreeBSD-20101111
| 17#VersionAddendum FreeBSD-20110503
|
18 19#Port 22 20#AddressFamily any 21#ListenAddress 0.0.0.0 22#ListenAddress :: 23 24# The default requires explicit activation of protocol 1 25#Protocol 2 26 27# HostKey for protocol version 1 28#HostKey /etc/ssh/ssh_host_key 29# HostKeys for protocol version 2 30#HostKey /etc/ssh/ssh_host_rsa_key 31#HostKey /etc/ssh/ssh_host_dsa_key
| 18 19#Port 22 20#AddressFamily any 21#ListenAddress 0.0.0.0 22#ListenAddress :: 23 24# The default requires explicit activation of protocol 1 25#Protocol 2 26 27# HostKey for protocol version 1 28#HostKey /etc/ssh/ssh_host_key 29# HostKeys for protocol version 2 30#HostKey /etc/ssh/ssh_host_rsa_key 31#HostKey /etc/ssh/ssh_host_dsa_key
|
| 32#HostKey /etc/ssh/ssh_host_ecdsa_key
|
32 33# Lifetime and size of ephemeral version 1 server key 34#KeyRegenerationInterval 1h 35#ServerKeyBits 1024 36 37# Logging 38# obsoletes QuietMode and FascistLogging 39#SyslogFacility AUTH 40#LogLevel INFO 41 42# Authentication: 43 44#LoginGraceTime 2m 45#PermitRootLogin no 46#StrictModes yes 47#MaxAuthTries 6 48#MaxSessions 10 49 50#RSAAuthentication yes 51#PubkeyAuthentication yes 52#AuthorizedKeysFile .ssh/authorized_keys 53 54# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 55#RhostsRSAAuthentication no 56# similar for protocol version 2 57#HostbasedAuthentication no 58# Change to yes if you don't trust ~/.ssh/known_hosts for 59# RhostsRSAAuthentication and HostbasedAuthentication 60#IgnoreUserKnownHosts no 61# Don't read the user's ~/.rhosts and ~/.shosts files 62#IgnoreRhosts yes 63 64# Change to yes to enable built-in password authentication. 65#PasswordAuthentication no 66#PermitEmptyPasswords no 67 68# Change to no to disable PAM authentication 69#ChallengeResponseAuthentication yes 70 71# Kerberos options 72#KerberosAuthentication no 73#KerberosOrLocalPasswd yes 74#KerberosTicketCleanup yes 75#KerberosGetAFSToken no 76 77# GSSAPI options 78#GSSAPIAuthentication no 79#GSSAPICleanupCredentials yes 80 81# Set this to 'no' to disable PAM authentication, account processing, 82# and session processing. If this is enabled, PAM authentication will 83# be allowed through the ChallengeResponseAuthentication and 84# PasswordAuthentication. Depending on your PAM configuration, 85# PAM authentication via ChallengeResponseAuthentication may bypass 86# the setting of "PermitRootLogin without-password". 87# If you just want the PAM account and session checks to run without 88# PAM authentication, then enable this but set PasswordAuthentication 89# and ChallengeResponseAuthentication to 'no'. 90#UsePAM yes 91 92#AllowAgentForwarding yes 93#AllowTcpForwarding yes 94#GatewayPorts no 95#X11Forwarding yes 96#X11DisplayOffset 10 97#X11UseLocalhost yes 98#PrintMotd yes 99#PrintLastLog yes 100#TCPKeepAlive yes 101#UseLogin no 102#UsePrivilegeSeparation yes 103#PermitUserEnvironment no 104#Compression delayed 105#ClientAliveInterval 0 106#ClientAliveCountMax 3 107#UseDNS yes 108#PidFile /var/run/sshd.pid 109#MaxStartups 10 110#PermitTunnel no 111#ChrootDirectory none 112 113# no default banner path 114#Banner none 115 116# override default of no subsystems 117Subsystem sftp /usr/libexec/sftp-server 118 119# Example of overriding settings on a per-user basis 120#Match User anoncvs 121# X11Forwarding no 122# AllowTcpForwarding no 123# ForceCommand cvs server
| 33 34# Lifetime and size of ephemeral version 1 server key 35#KeyRegenerationInterval 1h 36#ServerKeyBits 1024 37 38# Logging 39# obsoletes QuietMode and FascistLogging 40#SyslogFacility AUTH 41#LogLevel INFO 42 43# Authentication: 44 45#LoginGraceTime 2m 46#PermitRootLogin no 47#StrictModes yes 48#MaxAuthTries 6 49#MaxSessions 10 50 51#RSAAuthentication yes 52#PubkeyAuthentication yes 53#AuthorizedKeysFile .ssh/authorized_keys 54 55# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 56#RhostsRSAAuthentication no 57# similar for protocol version 2 58#HostbasedAuthentication no 59# Change to yes if you don't trust ~/.ssh/known_hosts for 60# RhostsRSAAuthentication and HostbasedAuthentication 61#IgnoreUserKnownHosts no 62# Don't read the user's ~/.rhosts and ~/.shosts files 63#IgnoreRhosts yes 64 65# Change to yes to enable built-in password authentication. 66#PasswordAuthentication no 67#PermitEmptyPasswords no 68 69# Change to no to disable PAM authentication 70#ChallengeResponseAuthentication yes 71 72# Kerberos options 73#KerberosAuthentication no 74#KerberosOrLocalPasswd yes 75#KerberosTicketCleanup yes 76#KerberosGetAFSToken no 77 78# GSSAPI options 79#GSSAPIAuthentication no 80#GSSAPICleanupCredentials yes 81 82# Set this to 'no' to disable PAM authentication, account processing, 83# and session processing. If this is enabled, PAM authentication will 84# be allowed through the ChallengeResponseAuthentication and 85# PasswordAuthentication. Depending on your PAM configuration, 86# PAM authentication via ChallengeResponseAuthentication may bypass 87# the setting of "PermitRootLogin without-password". 88# If you just want the PAM account and session checks to run without 89# PAM authentication, then enable this but set PasswordAuthentication 90# and ChallengeResponseAuthentication to 'no'. 91#UsePAM yes 92 93#AllowAgentForwarding yes 94#AllowTcpForwarding yes 95#GatewayPorts no 96#X11Forwarding yes 97#X11DisplayOffset 10 98#X11UseLocalhost yes 99#PrintMotd yes 100#PrintLastLog yes 101#TCPKeepAlive yes 102#UseLogin no 103#UsePrivilegeSeparation yes 104#PermitUserEnvironment no 105#Compression delayed 106#ClientAliveInterval 0 107#ClientAliveCountMax 3 108#UseDNS yes 109#PidFile /var/run/sshd.pid 110#MaxStartups 10 111#PermitTunnel no 112#ChrootDirectory none 113 114# no default banner path 115#Banner none 116 117# override default of no subsystems 118Subsystem sftp /usr/libexec/sftp-server 119 120# Example of overriding settings on a per-user basis 121#Match User anoncvs 122# X11Forwarding no 123# AllowTcpForwarding no 124# ForceCommand cvs server
|