1188482Smr# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ 2188482Smr# $FreeBSD$ 3188482Smr 4188482Smr# This is the sshd server system-wide configuration file. See 5188482Smr# sshd_config(5) for more information. 6188482Smr 7188482Smr# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8188482Smr 9188482Smr# The strategy used for options in the default sshd_config shipped with 10188482Smr# OpenSSH is to specify options with their default value where 11188482Smr# possible, but leave them commented. Uncommented options change a 12188482Smr# default value. 13188482Smr 14188482Smr# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15188482Smr# FreeBSD has a few additional options. 16188482Smr 17188482Smr#VersionAddendum FreeBSD-20061110 18188482Smr 19188482Smr#Port 22 20188482Smr#Protocol 2 21188482Smr#AddressFamily any 22188482Smr#ListenAddress 0.0.0.0 23188482Smr#ListenAddress :: 24188482Smr 25188482Smr# HostKey for protocol version 1 26188482Smr#HostKey /etc/ssh/ssh_host_key 27188482Smr# HostKeys for protocol version 2 28188482Smr#HostKey /etc/ssh/ssh_host_dsa_key 29188482Smr 30188482Smr# Lifetime and size of ephemeral version 1 server key 31188482Smr#KeyRegenerationInterval 1h 32188482Smr#ServerKeyBits 768 33188482Smr 34188482Smr# Logging 35188482Smr# obsoletes QuietMode and FascistLogging 36188482Smr#SyslogFacility AUTH 37188482Smr#LogLevel INFO 38188482Smr 39188482Smr# Authentication: 40188482Smr 41188482Smr#LoginGraceTime 2m 42188482SmrPermitRootLogin yes 43188482Smr#StrictModes yes 44188482Smr#MaxAuthTries 6 45188482Smr 46188482Smr#RSAAuthentication yes 47188482Smr#PubkeyAuthentication yes 48188482Smr#AuthorizedKeysFile .ssh/authorized_keys 49188482Smr 50188482Smr# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 51188482Smr#RhostsRSAAuthentication no 52188482Smr# similar for protocol version 2 53188482Smr#HostbasedAuthentication no 54188482Smr# Change to yes if you don't trust ~/.ssh/known_hosts for 55188482Smr# RhostsRSAAuthentication and HostbasedAuthentication 56188482Smr#IgnoreUserKnownHosts no 57188482Smr# Don't read the user's ~/.rhosts and ~/.shosts files 58188482Smr#IgnoreRhosts yes 59188482Smr 60188482Smr# Change to yes to enable built-in password authentication. 61188482Smr#PasswordAuthentication no 62188482Smr#PermitEmptyPasswords no 63188482Smr 64188482Smr# Change to no to disable PAM authentication 65188482Smr#ChallengeResponseAuthentication yes 66188482Smr 67188482Smr# Kerberos options 68188482Smr#KerberosAuthentication no 69188482Smr#KerberosOrLocalPasswd yes 70188482Smr#KerberosTicketCleanup yes 71188482Smr#KerberosGetAFSToken no 72188482Smr 73188482Smr# GSSAPI options 74188482Smr#GSSAPIAuthentication no 75188482Smr#GSSAPICleanupCredentials yes 76188482Smr 77188482Smr# Set this to 'no' to disable PAM authentication, account processing, 78188482Smr# and session processing. If this is enabled, PAM authentication will 79188482Smr# be allowed through the ChallengeResponseAuthentication and 80188482Smr# PasswordAuthentication. Depending on your PAM configuration, 81188482Smr# PAM authentication via ChallengeResponseAuthentication may bypass 82188482SmrPermitRootLogin yes 83188482Smr# If you just want the PAM account and session checks to run without 84188482Smr# PAM authentication, then enable this but set PasswordAuthentication 85188482Smr# and ChallengeResponseAuthentication to 'no'. 86188482Smr#UsePAM yes 87188482Smr 88188482Smr#AllowTcpForwarding yes 89188482Smr#GatewayPorts no 90188482Smr#X11Forwarding yes 91188482Smr#X11DisplayOffset 10 92188482Smr#X11UseLocalhost yes 93188482Smr#PrintMotd yes 94188482Smr#PrintLastLog yes 95188482Smr#TCPKeepAlive yes 96188482Smr#UseLogin no 97188482Smr#UsePrivilegeSeparation yes 98188482Smr#PermitUserEnvironment no 99188482Smr#Compression delayed 100188482Smr#ClientAliveInterval 0 101188482Smr#ClientAliveCountMax 3 102188482Smr#UseDNS yes 103188482Smr#PidFile /var/run/sshd.pid 104188482Smr#MaxStartups 10 105188482Smr#PermitTunnel no 106188482Smr 107188482Smr# no default banner path 108188482Smr#Banner /some/path 109188482Smr 110188482Smr# override default of no subsystems 111188482SmrSubsystem sftp /usr/libexec/sftp-server 112188482Smr 113188482Smr# Example of overriding settings on a per-user basis 114188482Smr#Match User anoncvs 115188482Smr# X11Forwarding no 116188482Smr# AllowTcpForwarding no 117188482Smr# ForceCommand cvs server 118