sshd_config revision 264692
17527Sjkh# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ 27527Sjkh# $FreeBSD: stable/10/crypto/openssh/sshd_config 264692 2014-04-20 12:46:18Z des $ 37527Sjkh 47527Sjkh# This is the sshd server system-wide configuration file. See 57527Sjkh# sshd_config(5) for more information. 67527Sjkh 77527Sjkh# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 87527Sjkh 97527Sjkh# The strategy used for options in the default sshd_config shipped with 107527Sjkh# OpenSSH is to specify options with their default value where 117527Sjkh# possible, but leave them commented. Uncommented options override the 127527Sjkh# default value. 137527Sjkh 147527Sjkh# Note that some of FreeBSD's defaults differ from OpenBSD's, and 157527Sjkh# FreeBSD has a few additional options. 167527Sjkh 177527Sjkh#Port 22 187527Sjkh#AddressFamily any 197527Sjkh#ListenAddress 0.0.0.0 207527Sjkh#ListenAddress :: 217527Sjkh 227527Sjkh# The default requires explicit activation of protocol 1 237527Sjkh#Protocol 2 247527Sjkh 257527Sjkh# HostKey for protocol version 1 267527Sjkh#HostKey /etc/ssh/ssh_host_key 277527Sjkh# HostKeys for protocol version 2 287527Sjkh#HostKey /etc/ssh/ssh_host_rsa_key 297527Sjkh#HostKey /etc/ssh/ssh_host_dsa_key 307527Sjkh#HostKey /etc/ssh/ssh_host_ecdsa_key 317527Sjkh#HostKey /etc/ssh/ssh_host_ed25519_key 327527Sjkh 337527Sjkh# Lifetime and size of ephemeral version 1 server key 347527Sjkh#KeyRegenerationInterval 1h 357527Sjkh#ServerKeyBits 1024 367527Sjkh 377527Sjkh# Ciphers and keying 387527Sjkh#RekeyLimit default none 397527Sjkh 407527Sjkh# Logging 417527Sjkh# obsoletes QuietMode and FascistLogging 427527Sjkh#SyslogFacility AUTH 437527Sjkh#LogLevel INFO 447527Sjkh 457527Sjkh# Authentication: 467527Sjkh 477527Sjkh#LoginGraceTime 2m 487527Sjkh#PermitRootLogin no 497527Sjkh#StrictModes yes 507527Sjkh#MaxAuthTries 6 517527Sjkh#MaxSessions 10 527527Sjkh 537527Sjkh#RSAAuthentication yes 547527Sjkh#PubkeyAuthentication yes 557527Sjkh 567527Sjkh# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 577527Sjkh#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 587527Sjkh 597527Sjkh#AuthorizedPrincipalsFile none 607527Sjkh 617527Sjkh#AuthorizedKeysCommand none 627527Sjkh#AuthorizedKeysCommandUser nobody 637527Sjkh 647527Sjkh# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 657527Sjkh#RhostsRSAAuthentication no 667527Sjkh# similar for protocol version 2 677527Sjkh#HostbasedAuthentication no 687527Sjkh# Change to yes if you don't trust ~/.ssh/known_hosts for 697527Sjkh# RhostsRSAAuthentication and HostbasedAuthentication 707527Sjkh#IgnoreUserKnownHosts no 717527Sjkh# Don't read the user's ~/.rhosts and ~/.shosts files 727527Sjkh#IgnoreRhosts yes 737527Sjkh 747527Sjkh# Change to yes to enable built-in password authentication. 757527Sjkh#PasswordAuthentication no 767527Sjkh#PermitEmptyPasswords no 777527Sjkh 787527Sjkh# Change to no to disable PAM authentication 797527Sjkh#ChallengeResponseAuthentication yes 807527Sjkh 817527Sjkh# Kerberos options 827527Sjkh#KerberosAuthentication no 837527Sjkh#KerberosOrLocalPasswd yes 847527Sjkh#KerberosTicketCleanup yes 857527Sjkh#KerberosGetAFSToken no 867527Sjkh 877527Sjkh# GSSAPI options 887527Sjkh#GSSAPIAuthentication no 897527Sjkh#GSSAPICleanupCredentials yes 907527Sjkh 917527Sjkh# Set this to 'no' to disable PAM authentication, account processing, 927527Sjkh# and session processing. If this is enabled, PAM authentication will 937527Sjkh# be allowed through the ChallengeResponseAuthentication and 947527Sjkh# PasswordAuthentication. Depending on your PAM configuration, 957527Sjkh# PAM authentication via ChallengeResponseAuthentication may bypass 967527Sjkh# the setting of "PermitRootLogin without-password". 977527Sjkh# If you just want the PAM account and session checks to run without 987527Sjkh# PAM authentication, then enable this but set PasswordAuthentication 997527Sjkh# and ChallengeResponseAuthentication to 'no'. 1007527Sjkh#UsePAM yes 1017527Sjkh 1027527Sjkh#AllowAgentForwarding yes 1037527Sjkh#AllowTcpForwarding yes 1047527Sjkh#GatewayPorts no 1057527Sjkh#X11Forwarding yes 1067527Sjkh#X11DisplayOffset 10 1077527Sjkh#X11UseLocalhost yes 1087527Sjkh#PermitTTY yes 1097527Sjkh#PrintMotd yes 1107527Sjkh#PrintLastLog yes 1117527Sjkh#TCPKeepAlive yes 1127527Sjkh#UseLogin no 1137527Sjkh#UsePrivilegeSeparation sandbox 1147527Sjkh#PermitUserEnvironment no 1157527Sjkh#Compression delayed 1167527Sjkh#ClientAliveInterval 0 1177527Sjkh#ClientAliveCountMax 3 1187527Sjkh#UseDNS yes 1197527Sjkh#PidFile /var/run/sshd.pid 1207527Sjkh#MaxStartups 10:30:100 1217527Sjkh#PermitTunnel no 1227527Sjkh#ChrootDirectory none 1237527Sjkh#VersionAddendum FreeBSD-20140420 1247527Sjkh 1257527Sjkh# no default banner path 1267527Sjkh#Banner none 1277527Sjkh 1287527Sjkh# override default of no subsystems 1297527SjkhSubsystem sftp /usr/libexec/sftp-server 1307527Sjkh 1317527Sjkh# Disable HPN tuning improvements. 1327527Sjkh#HPNDisabled no 1337527Sjkh 1347527Sjkh# Buffer size for HPN to non-HPN connections. 1357527Sjkh#HPNBufferSize 2048 1367527Sjkh 1377527Sjkh# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. 1387527Sjkh#TcpRcvBufPoll yes 1397527Sjkh 1407527Sjkh# Allow the use of the NONE cipher. 1417527Sjkh#NoneEnabled no 1427527Sjkh 1437527Sjkh# Example of overriding settings on a per-user basis 1447527Sjkh#Match User anoncvs 1457527Sjkh# X11Forwarding no 1467527Sjkh# AllowTcpForwarding no 1477527Sjkh# PermitTTY no 1487527Sjkh# ForceCommand cvs server 1497527Sjkh