1# $NetBSD: sshd_config,v 1.28 2022/05/09 15:06:29 nia Exp $ 2# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ 3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# The strategy used for options in the default sshd_config shipped with 8# OpenSSH is to specify options with their default value where 9# possible, but leave them commented. Uncommented options override the 10# default value. 11 12#Port 22 13#AddressFamily any 14#ListenAddress 0.0.0.0 15#ListenAddress :: 16 17#HostKey /etc/ssh/ssh_host_rsa_key 18#HostKey /etc/ssh/ssh_host_ecdsa_key 19#HostKey /etc/ssh/ssh_host_ed25519_key 20 21# Ciphers and keying 22#RekeyLimit default none 23 24# Logging 25#SyslogFacility AUTH 26#LogLevel INFO 27 28# Authentication: 29 30# For slow CPUs, bumped from 2 minutes to 10 31LoginGraceTime 600 32#PermitRootLogin prohibit-password 33#StrictModes yes 34#MaxAuthTries 6 35#MaxSessions 10 36 37#PubkeyAuthentication yes 38 39# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 40# but this is overridden so installations will only check .ssh/authorized_keys 41AuthorizedKeysFile .ssh/authorized_keys 42 43#AuthorizedPrincipalsFile none 44 45#AuthorizedKeysCommand none 46#AuthorizedKeysCommandUser nobody 47 48# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49#HostbasedAuthentication no 50# Change to yes if you don't trust ~/.ssh/known_hosts for 51# HostbasedAuthentication 52#IgnoreUserKnownHosts no 53# Don't read the user's ~/.rhosts and ~/.shosts files 54#IgnoreRhosts yes 55 56# To disable password authentication, set this and UsePAM to no 57#PasswordAuthentication yes 58#PermitEmptyPasswords no 59 60# Change to no to disable s/key passwords 61#KbdInteractiveAuthentication yes 62 63# Kerberos options 64#KerberosAuthentication no 65#KerberosOrLocalPasswd yes 66#KerberosTicketCleanup yes 67#KerberosGetAFSToken no 68 69# GSSAPI options 70#GSSAPIAuthentication no 71#GSSAPICleanupCredentials yes 72 73# Set this to 'yes' to enable PAM authentication, account processing, 74# and session processing. If this is enabled, PAM authentication will 75# be allowed through the KbdInteractiveAuthentication and 76# PasswordAuthentication settings. Depending on your PAM configuration, 77# PAM authentication via KbdInteractiveAuthentication may bypass 78# the setting of "PermitRootLogin without-password". 79# If you just want the PAM account and session checks to run without 80# PAM authentication, then enable this but set PasswordAuthentication 81# and KbdInteractiveAuthentication to 'no'. 82UsePAM yes 83 84#AllowAgentForwarding yes 85#AllowTcpForwarding yes 86#GatewayPorts no 87#X11Forwarding no 88# If you use xorg from pkgsrc then uncomment the following line. 89#XAuthLocation /usr/pkg/bin/xauth 90#X11DisplayOffset 10 91#X11UseLocalhost yes 92#PermitTTY yes 93#PrintMotd yes 94#PrintLastLog yes 95#TCPKeepAlive yes 96#PermitUserEnvironment no 97#Compression delayed 98#ClientAliveInterval 0 99#ClientAliveCountMax 3 100#UseDNS no 101#PidFile /var/run/sshd.pid 102#MaxStartups 10:30:100 103#PermitTunnel no 104#ChrootDirectory none 105#VersionAddendum none 106 107# no default banner path 108#Banner none 109 110# here are the new patched ldap related tokens 111# entries in your LDAP must have posixAccount & ldapPublicKey objectclass 112#UseLPK yes 113#LpkLdapConf /etc/ldap.conf 114#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ 115#LpkUserDN ou=users,dc=phear,dc=org 116#LpkGroupDN ou=groups,dc=phear,dc=org 117#LpkBindDN cn=Manager,dc=phear,dc=org 118#LpkBindPw secret 119#LpkServerGroup mail 120#LpkFilter (hostAccess=master.phear.org) 121#LpkForceTLS no 122#LpkSearchTimelimit 3 123#LpkBindTimelimit 3 124#LpkPubKeyAttr sshPublicKey 125 126# override default of no subsystems 127Subsystem sftp /usr/libexec/sftp-server 128 129# the following are HPN related configuration options 130# tcp receive buffer polling. disable in non autotuning kernels 131#TcpRcvBufPoll yes 132 133# allow the use of the none cipher 134#NoneEnabled no 135 136# disable hpn performance boosts. 137HPNDisabled yes 138 139# buffer size for hpn to non-hpn connections 140#HPNBufferSize 2048 141 142# Example of overriding settings on a per-user basis 143#Match User anoncvs 144# X11Forwarding no 145# AllowTcpForwarding no 146# PermitTTY no 147# ForceCommand cvs server 148