sshd_config revision 204917
1204917Sdes# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ 299051Sdes# $FreeBSD: head/crypto/openssh/sshd_config 204917 2010-03-09 19:16:43Z des $ 357429Smarkm 498684Sdes# This is the sshd server system-wide configuration file. See 598684Sdes# sshd_config(5) for more information. 676262Sgreen 798941Sdes# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 898941Sdes 992559Sdes# The strategy used for options in the default sshd_config shipped with 1092559Sdes# OpenSSH is to specify options with their default value where 1192559Sdes# possible, but leave them commented. Uncommented options change a 1292559Sdes# default value. 1392559Sdes 1499051Sdes# Note that some of FreeBSD's defaults differ from OpenBSD's, and 1599051Sdes# FreeBSD has a few additional options. 1699051Sdes 17204917Sdes#VersionAddendum FreeBSD-20100308 1899051Sdes 1992559Sdes#Port 22 20147005Sdes#AddressFamily any 2157429Smarkm#ListenAddress 0.0.0.0 2257429Smarkm#ListenAddress :: 2369591Sgreen 24204917Sdes# The default requires explicit activation of protocol 1 25204917Sdes#Protocol 2 26181111Sdes 2792559Sdes# HostKey for protocol version 1 2892559Sdes#HostKey /etc/ssh/ssh_host_key 2992559Sdes# HostKeys for protocol version 2 30181111Sdes#HostKey /etc/ssh/ssh_host_rsa_key 3192559Sdes#HostKey /etc/ssh/ssh_host_dsa_key 3257429Smarkm 3392559Sdes# Lifetime and size of ephemeral version 1 server key 34124211Sdes#KeyRegenerationInterval 1h 35181111Sdes#ServerKeyBits 1024 3692559Sdes 3757429Smarkm# Logging 38149753Sdes# obsoletes QuietMode and FascistLogging 3992559Sdes#SyslogFacility AUTH 4092559Sdes#LogLevel INFO 4157429Smarkm 4292559Sdes# Authentication: 4392559Sdes 44124211Sdes#LoginGraceTime 2m 4599051Sdes#PermitRootLogin no 4692559Sdes#StrictModes yes 47137019Sdes#MaxAuthTries 6 48181111Sdes#MaxSessions 10 4992559Sdes 5092559Sdes#RSAAuthentication yes 5192559Sdes#PubkeyAuthentication yes 5292559Sdes#AuthorizedKeysFile .ssh/authorized_keys 5392559Sdes 5492559Sdes# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 5592559Sdes#RhostsRSAAuthentication no 5676262Sgreen# similar for protocol version 2 5792559Sdes#HostbasedAuthentication no 5892559Sdes# Change to yes if you don't trust ~/.ssh/known_hosts for 5992559Sdes# RhostsRSAAuthentication and HostbasedAuthentication 6092559Sdes#IgnoreUserKnownHosts no 61124211Sdes# Don't read the user's ~/.rhosts and ~/.shosts files 62124211Sdes#IgnoreRhosts yes 6357429Smarkm 64126009Sdes# Change to yes to enable built-in password authentication. 65126009Sdes#PasswordAuthentication no 6692559Sdes#PermitEmptyPasswords no 6776262Sgreen 6899315Sdes# Change to no to disable PAM authentication 6995456Sdes#ChallengeResponseAuthentication yes 7057429Smarkm 7192559Sdes# Kerberos options 7298684Sdes#KerberosAuthentication no 7357429Smarkm#KerberosOrLocalPasswd yes 7492559Sdes#KerberosTicketCleanup yes 75126277Sdes#KerberosGetAFSToken no 7657429Smarkm 77124211Sdes# GSSAPI options 78124211Sdes#GSSAPIAuthentication no 79126277Sdes#GSSAPICleanupCredentials yes 8057429Smarkm 81162856Sdes# Set this to 'no' to disable PAM authentication, account processing, 82137019Sdes# and session processing. If this is enabled, PAM authentication will 83162856Sdes# be allowed through the ChallengeResponseAuthentication and 84162856Sdes# PasswordAuthentication. Depending on your PAM configuration, 85162856Sdes# PAM authentication via ChallengeResponseAuthentication may bypass 86162856Sdes# the setting of "PermitRootLogin without-password". 87162856Sdes# If you just want the PAM account and session checks to run without 88162856Sdes# PAM authentication, then enable this but set PasswordAuthentication 89162856Sdes# and ChallengeResponseAuthentication to 'no'. 90127033Sdes#UsePAM yes 9192559Sdes 92181111Sdes#AllowAgentForwarding yes 93124211Sdes#AllowTcpForwarding yes 94124211Sdes#GatewayPorts no 9599051Sdes#X11Forwarding yes 9692559Sdes#X11DisplayOffset 10 9792559Sdes#X11UseLocalhost yes 9892559Sdes#PrintMotd yes 9992559Sdes#PrintLastLog yes 100126277Sdes#TCPKeepAlive yes 10157429Smarkm#UseLogin no 10298941Sdes#UsePrivilegeSeparation yes 103106130Sdes#PermitUserEnvironment no 104149753Sdes#Compression delayed 105124211Sdes#ClientAliveInterval 0 106124211Sdes#ClientAliveCountMax 3 107124211Sdes#UseDNS yes 108124211Sdes#PidFile /var/run/sshd.pid 109124211Sdes#MaxStartups 10 110157019Sdes#PermitTunnel no 111181111Sdes#ChrootDirectory none 11265674Skris 11392559Sdes# no default banner path 114181111Sdes#Banner none 11576262Sgreen 11692559Sdes# override default of no subsystems 11776262SgreenSubsystem sftp /usr/libexec/sftp-server 118162856Sdes 119162856Sdes# Example of overriding settings on a per-user basis 120162856Sdes#Match User anoncvs 121162856Sdes# X11Forwarding no 122162856Sdes# AllowTcpForwarding no 123162856Sdes# ForceCommand cvs server 124