sshd_config revision 248619
12116Sjkh# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 22116Sjkh# $FreeBSD: head/crypto/openssh/sshd_config 248619 2013-03-22 17:55:38Z des $ 32116Sjkh 42116Sjkh# This is the sshd server system-wide configuration file. See 52116Sjkh# sshd_config(5) for more information. 62116Sjkh 72116Sjkh# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 82116Sjkh 92116Sjkh# The strategy used for options in the default sshd_config shipped with 102116Sjkh# OpenSSH is to specify options with their default value where 112116Sjkh# possible, but leave them commented. Uncommented options override the 122116Sjkh# default value. 132116Sjkh 142116Sjkh# Note that some of FreeBSD's defaults differ from OpenBSD's, and 152116Sjkh# FreeBSD has a few additional options. 162116Sjkh 172116Sjkh#Port 22 182116Sjkh#AddressFamily any 192116Sjkh#ListenAddress 0.0.0.0 202116Sjkh#ListenAddress :: 212116Sjkh 222116Sjkh# The default requires explicit activation of protocol 1 232116Sjkh#Protocol 2 242116Sjkh 252116Sjkh# HostKey for protocol version 1 262116Sjkh#HostKey /etc/ssh/ssh_host_key 272116Sjkh# HostKeys for protocol version 2 282116Sjkh#HostKey /etc/ssh/ssh_host_rsa_key 2950476Speter#HostKey /etc/ssh/ssh_host_dsa_key 302116Sjkh#HostKey /etc/ssh/ssh_host_ecdsa_key 312116Sjkh 322116Sjkh# Lifetime and size of ephemeral version 1 server key 332116Sjkh#KeyRegenerationInterval 1h 342116Sjkh#ServerKeyBits 1024 356794Sjkh 366794Sjkh# Logging 376794Sjkh# obsoletes QuietMode and FascistLogging 3884881Sbde#SyslogFacility AUTH 3984881Sbde#LogLevel INFO 402116Sjkh 4184306Sru# Authentication: 422116Sjkh 432116Sjkh#LoginGraceTime 2m 446794Sjkh#PermitRootLogin no 456794Sjkh#StrictModes yes 462116Sjkh#MaxAuthTries 6 472116Sjkh#MaxSessions 10 482116Sjkh 496794Sjkh#RSAAuthentication yes 506794Sjkh#PubkeyAuthentication yes 516794Sjkh 522116Sjkh# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 532116Sjkh#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 542116Sjkh 552116Sjkh#AuthorizedPrincipalsFile none 562116Sjkh 572116Sjkh#AuthorizedKeysCommand none 5879754Sdd#AuthorizedKeysCommandUser nobody 596794Sjkh 606794Sjkh# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 612116Sjkh#RhostsRSAAuthentication no 622116Sjkh# similar for protocol version 2 632116Sjkh#HostbasedAuthentication no 642116Sjkh# Change to yes if you don't trust ~/.ssh/known_hosts for 652116Sjkh# RhostsRSAAuthentication and HostbasedAuthentication 662116Sjkh#IgnoreUserKnownHosts no 672116Sjkh# Don't read the user's ~/.rhosts and ~/.shosts files 6821907Swosch#IgnoreRhosts yes 692116Sjkh 702116Sjkh# Change to yes to enable built-in password authentication. 7121907Swosch#PasswordAuthentication no 722116Sjkh#PermitEmptyPasswords no 732116Sjkh 742116Sjkh# Change to no to disable PAM authentication 752116Sjkh#ChallengeResponseAuthentication yes 7673088Sru 77# Kerberos options 78#KerberosAuthentication no 79#KerberosOrLocalPasswd yes 80#KerberosTicketCleanup yes 81#KerberosGetAFSToken no 82 83# GSSAPI options 84#GSSAPIAuthentication no 85#GSSAPICleanupCredentials yes 86 87# Set this to 'no' to disable PAM authentication, account processing, 88# and session processing. If this is enabled, PAM authentication will 89# be allowed through the ChallengeResponseAuthentication and 90# PasswordAuthentication. Depending on your PAM configuration, 91# PAM authentication via ChallengeResponseAuthentication may bypass 92# the setting of "PermitRootLogin without-password". 93# If you just want the PAM account and session checks to run without 94# PAM authentication, then enable this but set PasswordAuthentication 95# and ChallengeResponseAuthentication to 'no'. 96#UsePAM yes 97 98#AllowAgentForwarding yes 99#AllowTcpForwarding yes 100#GatewayPorts no 101#X11Forwarding yes 102#X11DisplayOffset 10 103#X11UseLocalhost yes 104#PrintMotd yes 105#PrintLastLog yes 106#TCPKeepAlive yes 107#UseLogin no 108#UsePrivilegeSeparation sandbox 109#PermitUserEnvironment no 110#Compression delayed 111#ClientAliveInterval 0 112#ClientAliveCountMax 3 113#UseDNS yes 114#PidFile /var/run/sshd.pid 115#MaxStartups 10:30:100 116#PermitTunnel no 117#ChrootDirectory none 118#VersionAddendum FreeBSD-20130322 119 120# no default banner path 121#Banner none 122 123# override default of no subsystems 124Subsystem sftp /usr/libexec/sftp-server 125 126# Disable HPN tuning improvements. 127#HPNDisabled no 128 129# Buffer size for HPN to non-HPN connections. 130#HPNBufferSize 2048 131 132# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. 133#TcpRcvBufPoll yes 134 135# Allow the use of the NONE cipher. 136#NoneEnabled no 137 138# Example of overriding settings on a per-user basis 139#Match User anoncvs 140# X11Forwarding no 141# AllowTcpForwarding no 142# ForceCommand cvs server 143