sshd_config revision 221420
111819Sjulian# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ 211819Sjulian# $FreeBSD: head/crypto/openssh/sshd_config 221420 2011-05-04 07:34:44Z des $ 311819Sjulian 411819Sjulian# This is the sshd server system-wide configuration file. See 511819Sjulian# sshd_config(5) for more information. 611819Sjulian 711819Sjulian# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 811819Sjulian 911819Sjulian# The strategy used for options in the default sshd_config shipped with 1011819Sjulian# OpenSSH is to specify options with their default value where 1111819Sjulian# possible, but leave them commented. Uncommented options change a 1211819Sjulian# default value. 1311819Sjulian 1411819Sjulian# Note that some of FreeBSD's defaults differ from OpenBSD's, and 1511819Sjulian# FreeBSD has a few additional options. 1611819Sjulian 1711819Sjulian#VersionAddendum FreeBSD-20110503 1811819Sjulian 1911819Sjulian#Port 22 2011819Sjulian#AddressFamily any 2111819Sjulian#ListenAddress 0.0.0.0 2211819Sjulian#ListenAddress :: 2311819Sjulian 2411819Sjulian# The default requires explicit activation of protocol 1 2511819Sjulian#Protocol 2 2611819Sjulian 2711819Sjulian# HostKey for protocol version 1 2811819Sjulian#HostKey /etc/ssh/ssh_host_key 2911819Sjulian# HostKeys for protocol version 2 3011819Sjulian#HostKey /etc/ssh/ssh_host_rsa_key 3111819Sjulian#HostKey /etc/ssh/ssh_host_dsa_key 3211819Sjulian#HostKey /etc/ssh/ssh_host_ecdsa_key 3311819Sjulian 3412057Sjulian# Lifetime and size of ephemeral version 1 server key 3512057Sjulian#KeyRegenerationInterval 1h 3615239Sbde#ServerKeyBits 1024 3711819Sjulian 3811819Sjulian# Logging 3911819Sjulian# obsoletes QuietMode and FascistLogging 4014546Sdg#SyslogFacility AUTH 4111819Sjulian#LogLevel INFO 4211819Sjulian 4311819Sjulian# Authentication: 4411819Sjulian 4511819Sjulian#LoginGraceTime 2m 4611819Sjulian#PermitRootLogin no 4711819Sjulian#StrictModes yes 4811819Sjulian#MaxAuthTries 6 4911819Sjulian#MaxSessions 10 5011819Sjulian 5111819Sjulian#RSAAuthentication yes 5211819Sjulian#PubkeyAuthentication yes 5311819Sjulian#AuthorizedKeysFile .ssh/authorized_keys 5411819Sjulian 5511819Sjulian# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 5611819Sjulian#RhostsRSAAuthentication no 5711819Sjulian# similar for protocol version 2 5811819Sjulian#HostbasedAuthentication no 5911819Sjulian# Change to yes if you don't trust ~/.ssh/known_hosts for 6011819Sjulian# RhostsRSAAuthentication and HostbasedAuthentication 6111819Sjulian#IgnoreUserKnownHosts no 6211819Sjulian# Don't read the user's ~/.rhosts and ~/.shosts files 6311819Sjulian#IgnoreRhosts yes 6411819Sjulian 6515239Sbde# Change to yes to enable built-in password authentication. 6615239Sbde#PasswordAuthentication no 6715239Sbde#PermitEmptyPasswords no 6815239Sbde 6915239Sbde# Change to no to disable PAM authentication 7015239Sbde#ChallengeResponseAuthentication yes 7111819Sjulian 7211819Sjulian# Kerberos options 7311819Sjulian#KerberosAuthentication no 7411819Sjulian#KerberosOrLocalPasswd yes 7511819Sjulian#KerberosTicketCleanup yes 7611819Sjulian#KerberosGetAFSToken no 7711819Sjulian 7811819Sjulian# GSSAPI options 7911819Sjulian#GSSAPIAuthentication no 8011819Sjulian#GSSAPICleanupCredentials yes 8111819Sjulian 8211819Sjulian# Set this to 'no' to disable PAM authentication, account processing, 8311819Sjulian# and session processing. If this is enabled, PAM authentication will 8411819Sjulian# be allowed through the ChallengeResponseAuthentication and 8511819Sjulian# PasswordAuthentication. Depending on your PAM configuration, 8611819Sjulian# PAM authentication via ChallengeResponseAuthentication may bypass 8711819Sjulian# the setting of "PermitRootLogin without-password". 8811819Sjulian# If you just want the PAM account and session checks to run without 8911819Sjulian# PAM authentication, then enable this but set PasswordAuthentication 9011819Sjulian# and ChallengeResponseAuthentication to 'no'. 9111819Sjulian#UsePAM yes 9211819Sjulian 9311819Sjulian#AllowAgentForwarding yes 9411819Sjulian#AllowTcpForwarding yes 9511819Sjulian#GatewayPorts no 9611819Sjulian#X11Forwarding yes 9711819Sjulian#X11DisplayOffset 10 9811819Sjulian#X11UseLocalhost yes 9911819Sjulian#PrintMotd yes 10011819Sjulian#PrintLastLog yes 10111819Sjulian#TCPKeepAlive yes 10211819Sjulian#UseLogin no 10311819Sjulian#UsePrivilegeSeparation yes 10411819Sjulian#PermitUserEnvironment no 10511819Sjulian#Compression delayed 10611819Sjulian#ClientAliveInterval 0 10711819Sjulian#ClientAliveCountMax 3 10811819Sjulian#UseDNS yes 10911819Sjulian#PidFile /var/run/sshd.pid 11011819Sjulian#MaxStartups 10 11114093Swollman#PermitTunnel no 11211819Sjulian#ChrootDirectory none 11311819Sjulian 11411819Sjulian# no default banner path 11511819Sjulian#Banner none 11611819Sjulian 11711819Sjulian# override default of no subsystems 11811819SjulianSubsystem sftp /usr/libexec/sftp-server 11911819Sjulian 12011819Sjulian# Example of overriding settings on a per-user basis 12111819Sjulian#Match User anoncvs 12211819Sjulian# X11Forwarding no 12311819Sjulian# AllowTcpForwarding no 12411819Sjulian# ForceCommand cvs server 12511819Sjulian