sshd_config revision 262566
1174921Srwatson# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ 2174921Srwatson# $FreeBSD: stable/10/crypto/openssh/sshd_config 262566 2014-02-27 17:29:02Z des $ 3174921Srwatson 4174921Srwatson# This is the sshd server system-wide configuration file. See 5174921Srwatson# sshd_config(5) for more information. 6174921Srwatson 7174921Srwatson# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8174921Srwatson 9174921Srwatson# The strategy used for options in the default sshd_config shipped with 10174921Srwatson# OpenSSH is to specify options with their default value where 11174921Srwatson# possible, but leave them commented. Uncommented options override the 12174921Srwatson# default value. 13174921Srwatson 14174921Srwatson# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15174921Srwatson# FreeBSD has a few additional options. 16174921Srwatson 17174921Srwatson#Port 22 18174921Srwatson#AddressFamily any 19174921Srwatson#ListenAddress 0.0.0.0 20174921Srwatson#ListenAddress :: 21174921Srwatson 22174921Srwatson# The default requires explicit activation of protocol 1 23174921Srwatson#Protocol 2 24174921Srwatson 25174921Srwatson# HostKey for protocol version 1 26174921Srwatson#HostKey /etc/ssh/ssh_host_key 27174921Srwatson# HostKeys for protocol version 2 28175199Srwatson#HostKey /etc/ssh/ssh_host_rsa_key 29175199Srwatson#HostKey /etc/ssh/ssh_host_dsa_key 30175199Srwatson#HostKey /etc/ssh/ssh_host_ecdsa_key 31175199Srwatson#HostKey /etc/ssh/ssh_host_ed25519_key 32175199Srwatson 33175199Srwatson# Lifetime and size of ephemeral version 1 server key 34174921Srwatson#KeyRegenerationInterval 1h 35174921Srwatson#ServerKeyBits 1024 36174921Srwatson 37174921Srwatson# Ciphers and keying 38174921Srwatson#RekeyLimit default none 39174921Srwatson 40174921Srwatson# Logging 41174921Srwatson# obsoletes QuietMode and FascistLogging 42174921Srwatson#SyslogFacility AUTH 43174921Srwatson#LogLevel INFO 44174921Srwatson 45174921Srwatson# Authentication: 46174921Srwatson 47174921Srwatson#LoginGraceTime 2m 48174921Srwatson#PermitRootLogin no 49175199Srwatson#StrictModes yes 50175199Srwatson#MaxAuthTries 6 51174921Srwatson#MaxSessions 10 52174921Srwatson 53174921Srwatson#RSAAuthentication yes 54174921Srwatson#PubkeyAuthentication yes 55174921Srwatson 56174921Srwatson# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 57174921Srwatson#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 58174921Srwatson 59174921Srwatson#AuthorizedPrincipalsFile none 60174921Srwatson 61174921Srwatson#AuthorizedKeysCommand none 62174921Srwatson#AuthorizedKeysCommandUser nobody 63174921Srwatson 64242424Salfred# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 65242424Salfred#RhostsRSAAuthentication no 66174921Srwatson# similar for protocol version 2 67174921Srwatson#HostbasedAuthentication no 68174921Srwatson# Change to yes if you don't trust ~/.ssh/known_hosts for 69174921Srwatson# RhostsRSAAuthentication and HostbasedAuthentication 70174921Srwatson#IgnoreUserKnownHosts no 71174921Srwatson# Don't read the user's ~/.rhosts and ~/.shosts files 72174921Srwatson#IgnoreRhosts yes 73174921Srwatson 74174921Srwatson# Change to yes to enable built-in password authentication. 75174921Srwatson#PasswordAuthentication no 76174921Srwatson#PermitEmptyPasswords no 77174921Srwatson 78174921Srwatson# Change to no to disable PAM authentication 79174921Srwatson#ChallengeResponseAuthentication yes 80174921Srwatson 81174921Srwatson# Kerberos options 82174921Srwatson#KerberosAuthentication no 83174921Srwatson#KerberosOrLocalPasswd yes 84174921Srwatson#KerberosTicketCleanup yes 85174921Srwatson#KerberosGetAFSToken no 86174921Srwatson 87174921Srwatson# GSSAPI options 88174921Srwatson#GSSAPIAuthentication no 89174921Srwatson#GSSAPICleanupCredentials yes 90174921Srwatson 91174921Srwatson# Set this to 'no' to disable PAM authentication, account processing, 92174921Srwatson# and session processing. If this is enabled, PAM authentication will 93174921Srwatson# be allowed through the ChallengeResponseAuthentication and 94174921Srwatson# PasswordAuthentication. Depending on your PAM configuration, 95174921Srwatson# PAM authentication via ChallengeResponseAuthentication may bypass 96174921Srwatson# the setting of "PermitRootLogin without-password". 97174921Srwatson# If you just want the PAM account and session checks to run without 98174921Srwatson# PAM authentication, then enable this but set PasswordAuthentication 99174921Srwatson# and ChallengeResponseAuthentication to 'no'. 100174921Srwatson#UsePAM yes 101174921Srwatson 102174921Srwatson#AllowAgentForwarding yes 103174921Srwatson#AllowTcpForwarding yes 104174921Srwatson#GatewayPorts no 105174921Srwatson#X11Forwarding yes 106174921Srwatson#X11DisplayOffset 10 107174921Srwatson#X11UseLocalhost yes 108174921Srwatson#PermitTTY yes 109174921Srwatson#PrintMotd yes 110174921Srwatson#PrintLastLog yes 111174921Srwatson#TCPKeepAlive yes 112174921Srwatson#UseLogin no 113174921Srwatson#UsePrivilegeSeparation sandbox 114174921Srwatson#PermitUserEnvironment no 115174921Srwatson#Compression delayed 116174921Srwatson#ClientAliveInterval 0 117174921Srwatson#ClientAliveCountMax 3 118174921Srwatson#UseDNS yes 119174921Srwatson#PidFile /var/run/sshd.pid 120174921Srwatson#MaxStartups 10:30:100 121174921Srwatson#PermitTunnel no 122174921Srwatson#ChrootDirectory none 123242424Salfred#VersionAddendum FreeBSD-20140130 124242424Salfred 125242424Salfred# no default banner path 126242424Salfred#Banner none 127242424Salfred 128174921Srwatson# override default of no subsystems 129174921SrwatsonSubsystem sftp /usr/libexec/sftp-server 130174921Srwatson 131174921Srwatson# Disable HPN tuning improvements. 132174921Srwatson#HPNDisabled no 133174921Srwatson 134174921Srwatson# Buffer size for HPN to non-HPN connections. 135174921Srwatson#HPNBufferSize 2048 136174921Srwatson 137174921Srwatson# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. 138174921Srwatson#TcpRcvBufPoll yes 139174921Srwatson 140174921Srwatson# Allow the use of the NONE cipher. 141174921Srwatson#NoneEnabled no 142174921Srwatson 143174921Srwatson# Example of overriding settings on a per-user basis 144174921Srwatson#Match User anoncvs 145174921Srwatson# X11Forwarding no 146174921Srwatson# AllowTcpForwarding no 147174921Srwatson# PermitTTY no 148174921Srwatson# ForceCommand cvs server 149174921Srwatson