1186979Ssam# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ 2186979Ssam# $FreeBSD: src/crypto/openssh/sshd_config,v 1.48 2008/08/01 02:48:36 des Exp $ 3186979Ssam 4186979Ssam# This is the sshd server system-wide configuration file. See 5186979Ssam# sshd_config(5) for more information. 6186979Ssam 7186979Ssam# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8186979Ssam 9186979Ssam# The strategy used for options in the default sshd_config shipped with 10186979Ssam# OpenSSH is to specify options with their default value where 11186979Ssam# possible, but leave them commented. Uncommented options change a 12186979Ssam# default value. 13186979Ssam 14186979Ssam# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15186979Ssam# FreeBSD has a few additional options. 16186979Ssam 17186979Ssam#VersionAddendum FreeBSD-20080801 18186979Ssam 19186979Ssam#Port 22 20186979Ssam#Protocol 2 21186979Ssam#AddressFamily any 22186979Ssam#ListenAddress 0.0.0.0 23186979Ssam#ListenAddress :: 24186979Ssam 25186979Ssam# Disable legacy (protocol version 1) support in the server for new 26186979Ssam# installations. In future the default will change to require explicit 27186979Ssam# activation of protocol 1 28186979SsamProtocol 2 29186979Ssam 30186979Ssam# HostKey for protocol version 1 31186979Ssam#HostKey /etc/ssh/ssh_host_key 32186979Ssam# HostKeys for protocol version 2 33186979Ssam#HostKey /etc/ssh/ssh_host_rsa_key 34186979Ssam#HostKey /etc/ssh/ssh_host_dsa_key 35186979Ssam 36186979Ssam# Lifetime and size of ephemeral version 1 server key 37186979Ssam#KeyRegenerationInterval 1h 38186979Ssam#ServerKeyBits 1024 39186979Ssam 40186979Ssam# Logging 41186979Ssam# obsoletes QuietMode and FascistLogging 42186979Ssam#SyslogFacility AUTH 43186979Ssam#LogLevel INFO 44186979Ssam 45186979Ssam# Authentication: 46186979Ssam 47186979Ssam#LoginGraceTime 2m 48186979SsamPermitRootLogin yes 49186979Ssam#StrictModes yes 50186979Ssam#MaxAuthTries 6 51186979Ssam#MaxSessions 10 52186979Ssam 53186979Ssam#RSAAuthentication yes 54186979Ssam#PubkeyAuthentication yes 55186979Ssam#AuthorizedKeysFile .ssh/authorized_keys 56186979Ssam 57186979Ssam# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 58186979Ssam#RhostsRSAAuthentication no 59186979Ssam# similar for protocol version 2 60186979Ssam#HostbasedAuthentication no 61186979Ssam# Change to yes if you don't trust ~/.ssh/known_hosts for 62186979Ssam# RhostsRSAAuthentication and HostbasedAuthentication 63186979Ssam#IgnoreUserKnownHosts no 64186979Ssam# Don't read the user's ~/.rhosts and ~/.shosts files 65186979Ssam#IgnoreRhosts yes 66186979Ssam 67186979Ssam# Change to yes to enable built-in password authentication. 68186979SsamPasswordAuthentication yes 69186979SsamPermitEmptyPasswords yes 70186979Ssam 71186979Ssam# Change to no to disable PAM authentication 72186979SsamChallengeResponseAuthentication no 73186979Ssam 74186979Ssam# Kerberos options 75186979Ssam#KerberosAuthentication no 76186979Ssam#KerberosOrLocalPasswd yes 77186979Ssam#KerberosTicketCleanup yes 78186979Ssam#KerberosGetAFSToken no 79186979Ssam 80186979Ssam# GSSAPI options 81186979Ssam#GSSAPIAuthentication no 82186979Ssam#GSSAPICleanupCredentials yes 83186979Ssam 84186979Ssam# Set this to 'no' to disable PAM authentication, account processing, 85186979Ssam# and session processing. If this is enabled, PAM authentication will 86186979Ssam# be allowed through the ChallengeResponseAuthentication and 87186979Ssam# PasswordAuthentication. Depending on your PAM configuration, 88186979Ssam# PAM authentication via ChallengeResponseAuthentication may bypass 89186979Ssam# the setting of "PermitRootLogin without-password". 90186979Ssam# If you just want the PAM account and session checks to run without 91186979Ssam# PAM authentication, then enable this but set PasswordAuthentication 92186979Ssam# and ChallengeResponseAuthentication to 'no'. 93186979Ssam#UsePAM yes 94186979Ssam 95186979Ssam#AllowAgentForwarding yes 96186979Ssam#AllowTcpForwarding yes 97186979Ssam#GatewayPorts no 98186979Ssam#X11Forwarding yes 99186979Ssam#X11DisplayOffset 10 100186979Ssam#X11UseLocalhost yes 101186979Ssam#PrintMotd yes 102186979Ssam#PrintLastLog yes 103186979Ssam#TCPKeepAlive yes 104186979Ssam#UseLogin no 105186979Ssam#UsePrivilegeSeparation yes 106186979Ssam#PermitUserEnvironment no 107186979Ssam#Compression delayed 108186979Ssam#ClientAliveInterval 0 109186979Ssam#ClientAliveCountMax 3 110186979Ssam#UseDNS yes 111186979Ssam#PidFile /var/run/sshd.pid 112186979Ssam#MaxStartups 10 113186979Ssam#PermitTunnel no 114186979Ssam#ChrootDirectory none 115186979Ssam 116186979Ssam# no default banner path 117186979Ssam#Banner none 118186979Ssam 119186979Ssam# override default of no subsystems 120186979SsamSubsystem sftp /usr/libexec/sftp-server 121186979Ssam 122186979Ssam# Example of overriding settings on a per-user basis 123186979Ssam#Match User anoncvs 124186979Ssam# X11Forwarding no 125186979Ssam# AllowTcpForwarding no 126186979Ssam# ForceCommand cvs server 127