sshd_config revision 181111
1220422Sgabor# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ 2220422Sgabor# $FreeBSD: head/crypto/openssh/sshd_config 181111 2008-08-01 02:48:36Z des $ 3210389Sgabor 4210389Sgabor# This is the sshd server system-wide configuration file. See 5210389Sgabor# sshd_config(5) for more information. 6211496Sdes 7210389Sgabor# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8210389Sgabor 9210389Sgabor# The strategy used for options in the default sshd_config shipped with 10210389Sgabor# OpenSSH is to specify options with their default value where 11210389Sgabor# possible, but leave them commented. Uncommented options change a 12210389Sgabor# default value. 13210389Sgabor 14210389Sgabor# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15210389Sgabor# FreeBSD has a few additional options. 16210389Sgabor 17210389Sgabor#VersionAddendum FreeBSD-20080801 18210389Sgabor 19210389Sgabor#Port 22 20210389Sgabor#Protocol 2 21210389Sgabor#AddressFamily any 22210389Sgabor#ListenAddress 0.0.0.0 23210389Sgabor#ListenAddress :: 24210389Sgabor 25210389Sgabor# Disable legacy (protocol version 1) support in the server for new 26210389Sgabor# installations. In future the default will change to require explicit 27210389Sgabor# activation of protocol 1 28210389SgaborProtocol 2 29210389Sgabor 30210389Sgabor# HostKey for protocol version 1 31210389Sgabor#HostKey /etc/ssh/ssh_host_key 32210389Sgabor# HostKeys for protocol version 2 33210389Sgabor#HostKey /etc/ssh/ssh_host_rsa_key 34210389Sgabor#HostKey /etc/ssh/ssh_host_dsa_key 35210389Sgabor 36210389Sgabor# Lifetime and size of ephemeral version 1 server key 37210389Sgabor#KeyRegenerationInterval 1h 38210389Sgabor#ServerKeyBits 1024 39210389Sgabor 40210389Sgabor# Logging 41226261Sgabor# obsoletes QuietMode and FascistLogging 42210389Sgabor#SyslogFacility AUTH 43210389Sgabor#LogLevel INFO 44210389Sgabor 45210389Sgabor# Authentication: 46210389Sgabor 47210389Sgabor#LoginGraceTime 2m 48210389Sgabor#PermitRootLogin no 49210389Sgabor#StrictModes yes 50210389Sgabor#MaxAuthTries 6 51210389Sgabor#MaxSessions 10 52226261Sgabor 53210389Sgabor#RSAAuthentication yes 54210389Sgabor#PubkeyAuthentication yes 55210389Sgabor#AuthorizedKeysFile .ssh/authorized_keys 56210389Sgabor 57210389Sgabor# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 58210389Sgabor#RhostsRSAAuthentication no 59210389Sgabor# similar for protocol version 2 60210389Sgabor#HostbasedAuthentication no 61210389Sgabor# Change to yes if you don't trust ~/.ssh/known_hosts for 62210389Sgabor# RhostsRSAAuthentication and HostbasedAuthentication 63210389Sgabor#IgnoreUserKnownHosts no 64210389Sgabor# Don't read the user's ~/.rhosts and ~/.shosts files 65210389Sgabor#IgnoreRhosts yes 66210389Sgabor 67210389Sgabor# Change to yes to enable built-in password authentication. 68210622Sgabor#PasswordAuthentication no 69210389Sgabor#PermitEmptyPasswords no 70210389Sgabor 71210389Sgabor# Change to no to disable PAM authentication 72210389Sgabor#ChallengeResponseAuthentication yes 73210622Sgabor 74210622Sgabor# Kerberos options 75210389Sgabor#KerberosAuthentication no 76210389Sgabor#KerberosOrLocalPasswd yes 77210389Sgabor#KerberosTicketCleanup yes 78223009Sgabor#KerberosGetAFSToken no 79210389Sgabor 80210389Sgabor# GSSAPI options 81210389Sgabor#GSSAPIAuthentication no 82210389Sgabor#GSSAPICleanupCredentials yes 83210389Sgabor 84210389Sgabor# Set this to 'no' to disable PAM authentication, account processing, 85210389Sgabor# and session processing. If this is enabled, PAM authentication will 86226261Sgabor# be allowed through the ChallengeResponseAuthentication and 87210389Sgabor# PasswordAuthentication. Depending on your PAM configuration, 88226261Sgabor# PAM authentication via ChallengeResponseAuthentication may bypass 89210389Sgabor# the setting of "PermitRootLogin without-password". 90210389Sgabor# If you just want the PAM account and session checks to run without 91210578Sgabor# PAM authentication, then enable this but set PasswordAuthentication 92210578Sgabor# and ChallengeResponseAuthentication to 'no'. 93210578Sgabor#UsePAM yes 94210389Sgabor 95210389Sgabor#AllowAgentForwarding yes 96210389Sgabor#AllowTcpForwarding yes 97210389Sgabor#GatewayPorts no 98210389Sgabor#X11Forwarding yes 99210389Sgabor#X11DisplayOffset 10 100210389Sgabor#X11UseLocalhost yes 101210389Sgabor#PrintMotd yes 102210389Sgabor#PrintLastLog yes 103210389Sgabor#TCPKeepAlive yes 104210389Sgabor#UseLogin no 105210389Sgabor#UsePrivilegeSeparation yes 106210389Sgabor#PermitUserEnvironment no 107210389Sgabor#Compression delayed 108210389Sgabor#ClientAliveInterval 0 109226261Sgabor#ClientAliveCountMax 3 110210389Sgabor#UseDNS yes 111210389Sgabor#PidFile /var/run/sshd.pid 112210389Sgabor#MaxStartups 10 113210389Sgabor#PermitTunnel no 114210389Sgabor#ChrootDirectory none 115210389Sgabor 116210389Sgabor# no default banner path 117210389Sgabor#Banner none 118210389Sgabor 119210389Sgabor# override default of no subsystems 120210461SgaborSubsystem sftp /usr/libexec/sftp-server 121210389Sgabor 122210389Sgabor# Example of overriding settings on a per-user basis 123210389Sgabor#Match User anoncvs 124210461Sgabor# X11Forwarding no 125210461Sgabor# AllowTcpForwarding no 126210461Sgabor# ForceCommand cvs server 127210389Sgabor