Cross Reference: /freebsd-10.0-release/crypto/openssh/sshd_config

137019Sdes#	$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
99051Sdes#	$FreeBSD: head/crypto/openssh/sshd_config 137019 2004-10-28 16:11:31Z des $
57429Smarkm
98684Sdes# This is the sshd server system-wide configuration file.  See
98684Sdes# sshd_config(5) for more information.
76262Sgreen
98941Sdes# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
98941Sdes
92559Sdes# The strategy used for options in the default sshd_config shipped with
92559Sdes# OpenSSH is to specify options with their default value where
92559Sdes# possible, but leave them commented.  Uncommented options change a
92559Sdes# default value.
92559Sdes
99051Sdes# Note that some of FreeBSD's defaults differ from OpenBSD's, and
99051Sdes# FreeBSD has a few additional options.
99051Sdes
137019Sdes#VersionAddendum FreeBSD-20041028
99051Sdes
92559Sdes#Port 22
126271Sdes#Protocol 2
57429Smarkm#ListenAddress 0.0.0.0
57429Smarkm#ListenAddress ::
69591Sgreen
92559Sdes# HostKey for protocol version 1
92559Sdes#HostKey /etc/ssh/ssh_host_key
92559Sdes# HostKeys for protocol version 2
92559Sdes#HostKey /etc/ssh/ssh_host_dsa_key
57429Smarkm
92559Sdes# Lifetime and size of ephemeral version 1 server key
124211Sdes#KeyRegenerationInterval 1h
92559Sdes#ServerKeyBits 768
92559Sdes
57429Smarkm# Logging
57429Smarkm#obsoletes QuietMode and FascistLogging
92559Sdes#SyslogFacility AUTH
92559Sdes#LogLevel INFO
57429Smarkm
92559Sdes# Authentication:
92559Sdes
124211Sdes#LoginGraceTime 2m
99051Sdes#PermitRootLogin no
92559Sdes#StrictModes yes
137019Sdes#MaxAuthTries 6
92559Sdes
92559Sdes#RSAAuthentication yes
92559Sdes#PubkeyAuthentication yes
92559Sdes#AuthorizedKeysFile	.ssh/authorized_keys
92559Sdes
92559Sdes# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
92559Sdes#RhostsRSAAuthentication no
76262Sgreen# similar for protocol version 2
92559Sdes#HostbasedAuthentication no
92559Sdes# Change to yes if you don't trust ~/.ssh/known_hosts for
92559Sdes# RhostsRSAAuthentication and HostbasedAuthentication
92559Sdes#IgnoreUserKnownHosts no
124211Sdes# Don't read the user's ~/.rhosts and ~/.shosts files
124211Sdes#IgnoreRhosts yes
57429Smarkm
126009Sdes# Change to yes to enable built-in password authentication.
126009Sdes#PasswordAuthentication no
92559Sdes#PermitEmptyPasswords no
76262Sgreen
99315Sdes# Change to no to disable PAM authentication
95456Sdes#ChallengeResponseAuthentication yes
57429Smarkm
92559Sdes# Kerberos options
98684Sdes#KerberosAuthentication no
57429Smarkm#KerberosOrLocalPasswd yes
92559Sdes#KerberosTicketCleanup yes
126277Sdes#KerberosGetAFSToken no
57429Smarkm
124211Sdes# GSSAPI options
124211Sdes#GSSAPIAuthentication no
126277Sdes#GSSAPICleanupCredentials yes
57429Smarkm
137019Sdes# Set this to 'no' to disable PAM authentication, account processing,
137019Sdes# and session processing. If this is enabled, PAM authentication will
137019Sdes# be allowed through the ChallengeResponseAuthentication mechanism.
137019Sdes# Depending on your PAM configuration, this may bypass the setting of
137019Sdes# PasswordAuthentication, PermitEmptyPasswords, and
137019Sdes# "PermitRootLogin without-password". If you just want the PAM account and
137019Sdes# session checks to run without PAM authentication, then enable this but set
137019Sdes# ChallengeResponseAuthentication=no
127033Sdes#UsePAM yes
92559Sdes
124211Sdes#AllowTcpForwarding yes
124211Sdes#GatewayPorts no
99051Sdes#X11Forwarding yes
92559Sdes#X11DisplayOffset 10
92559Sdes#X11UseLocalhost yes
92559Sdes#PrintMotd yes
92559Sdes#PrintLastLog yes
126277Sdes#TCPKeepAlive yes
57429Smarkm#UseLogin no
98941Sdes#UsePrivilegeSeparation yes
106130Sdes#PermitUserEnvironment no
98684Sdes#Compression yes
124211Sdes#ClientAliveInterval 0
124211Sdes#ClientAliveCountMax 3
124211Sdes#UseDNS yes
124211Sdes#PidFile /var/run/sshd.pid
124211Sdes#MaxStartups 10
65674Skris
92559Sdes# no default banner path
92559Sdes#Banner /some/path
76262Sgreen
92559Sdes# override default of no subsystems
76262SgreenSubsystem	sftp	/usr/libexec/sftp-server