sshd_config revision 226046
1226046Sdes# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 299051Sdes# $FreeBSD: head/crypto/openssh/sshd_config 226046 2011-10-05 22:08:17Z des $ 357429Smarkm 498684Sdes# This is the sshd server system-wide configuration file. See 598684Sdes# sshd_config(5) for more information. 676262Sgreen 798941Sdes# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 898941Sdes 992559Sdes# The strategy used for options in the default sshd_config shipped with 1092559Sdes# OpenSSH is to specify options with their default value where 11226046Sdes# possible, but leave them commented. Uncommented options override the 1292559Sdes# default value. 1392559Sdes 1499051Sdes# Note that some of FreeBSD's defaults differ from OpenBSD's, and 1599051Sdes# FreeBSD has a few additional options. 1699051Sdes 17226046Sdes#VersionAddendum FreeBSD-20111001 1899051Sdes 1992559Sdes#Port 22 20147005Sdes#AddressFamily any 2157429Smarkm#ListenAddress 0.0.0.0 2257429Smarkm#ListenAddress :: 2369591Sgreen 24204917Sdes# The default requires explicit activation of protocol 1 25204917Sdes#Protocol 2 26181111Sdes 2792559Sdes# HostKey for protocol version 1 2892559Sdes#HostKey /etc/ssh/ssh_host_key 2992559Sdes# HostKeys for protocol version 2 30181111Sdes#HostKey /etc/ssh/ssh_host_rsa_key 3192559Sdes#HostKey /etc/ssh/ssh_host_dsa_key 32221420Sdes#HostKey /etc/ssh/ssh_host_ecdsa_key 3357429Smarkm 3492559Sdes# Lifetime and size of ephemeral version 1 server key 35124211Sdes#KeyRegenerationInterval 1h 36181111Sdes#ServerKeyBits 1024 3792559Sdes 3857429Smarkm# Logging 39149753Sdes# obsoletes QuietMode and FascistLogging 4092559Sdes#SyslogFacility AUTH 4192559Sdes#LogLevel INFO 4257429Smarkm 4392559Sdes# Authentication: 4492559Sdes 45124211Sdes#LoginGraceTime 2m 4699051Sdes#PermitRootLogin no 4792559Sdes#StrictModes yes 48137019Sdes#MaxAuthTries 6 49181111Sdes#MaxSessions 10 5092559Sdes 5192559Sdes#RSAAuthentication yes 5292559Sdes#PubkeyAuthentication yes 5392559Sdes 54226046Sdes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 55226046Sdes# but this is overridden so installations will only check .ssh/authorized_keys 56226046SdesAuthorizedKeysFile .ssh/authorized_keys 57226046Sdes 5892559Sdes# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 5992559Sdes#RhostsRSAAuthentication no 6076262Sgreen# similar for protocol version 2 6192559Sdes#HostbasedAuthentication no 6292559Sdes# Change to yes if you don't trust ~/.ssh/known_hosts for 6392559Sdes# RhostsRSAAuthentication and HostbasedAuthentication 6492559Sdes#IgnoreUserKnownHosts no 65124211Sdes# Don't read the user's ~/.rhosts and ~/.shosts files 66124211Sdes#IgnoreRhosts yes 6757429Smarkm 68126009Sdes# Change to yes to enable built-in password authentication. 69126009Sdes#PasswordAuthentication no 7092559Sdes#PermitEmptyPasswords no 7176262Sgreen 7299315Sdes# Change to no to disable PAM authentication 7395456Sdes#ChallengeResponseAuthentication yes 7457429Smarkm 7592559Sdes# Kerberos options 7698684Sdes#KerberosAuthentication no 7757429Smarkm#KerberosOrLocalPasswd yes 7892559Sdes#KerberosTicketCleanup yes 79126277Sdes#KerberosGetAFSToken no 8057429Smarkm 81124211Sdes# GSSAPI options 82124211Sdes#GSSAPIAuthentication no 83126277Sdes#GSSAPICleanupCredentials yes 8457429Smarkm 85162856Sdes# Set this to 'no' to disable PAM authentication, account processing, 86137019Sdes# and session processing. If this is enabled, PAM authentication will 87162856Sdes# be allowed through the ChallengeResponseAuthentication and 88162856Sdes# PasswordAuthentication. Depending on your PAM configuration, 89162856Sdes# PAM authentication via ChallengeResponseAuthentication may bypass 90162856Sdes# the setting of "PermitRootLogin without-password". 91162856Sdes# If you just want the PAM account and session checks to run without 92162856Sdes# PAM authentication, then enable this but set PasswordAuthentication 93162856Sdes# and ChallengeResponseAuthentication to 'no'. 94127033Sdes#UsePAM yes 9592559Sdes 96181111Sdes#AllowAgentForwarding yes 97124211Sdes#AllowTcpForwarding yes 98124211Sdes#GatewayPorts no 9999051Sdes#X11Forwarding yes 10092559Sdes#X11DisplayOffset 10 10192559Sdes#X11UseLocalhost yes 10292559Sdes#PrintMotd yes 10392559Sdes#PrintLastLog yes 104126277Sdes#TCPKeepAlive yes 10557429Smarkm#UseLogin no 10698941Sdes#UsePrivilegeSeparation yes 107106130Sdes#PermitUserEnvironment no 108149753Sdes#Compression delayed 109124211Sdes#ClientAliveInterval 0 110124211Sdes#ClientAliveCountMax 3 111124211Sdes#UseDNS yes 112124211Sdes#PidFile /var/run/sshd.pid 113124211Sdes#MaxStartups 10 114157019Sdes#PermitTunnel no 115181111Sdes#ChrootDirectory none 11665674Skris 11792559Sdes# no default banner path 118181111Sdes#Banner none 11976262Sgreen 12092559Sdes# override default of no subsystems 12176262SgreenSubsystem sftp /usr/libexec/sftp-server 122162856Sdes 123224638Sbrooks# Disable HPN tuning improvements. 124224638Sbrooks#HPNDisabled no 125224638Sbrooks 126224638Sbrooks# Buffer size for HPN to non-HPN connections. 127224638Sbrooks#HPNBufferSize 2048 128224638Sbrooks 129224638Sbrooks# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. 130224638Sbrooks#TcpRcvBufPoll yes 131224638Sbrooks 132224638Sbrooks# Allow the use of the NONE cipher. 133224638Sbrooks#NoneEnabled no 134224638Sbrooks 135162856Sdes# Example of overriding settings on a per-user basis 136162856Sdes#Match User anoncvs 137162856Sdes# X11Forwarding no 138162856Sdes# AllowTcpForwarding no 139162856Sdes# ForceCommand cvs server 140