1#	$NetBSD: sshd_config,v 1.28 2022/05/09 15:06:29 nia Exp $
2#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
3
4# This is the sshd server system-wide configuration file.  See
5# sshd_config(5) for more information.
6
7# The strategy used for options in the default sshd_config shipped with
8# OpenSSH is to specify options with their default value where
9# possible, but leave them commented.  Uncommented options override the
10# default value.
11
12#Port 22
13#AddressFamily any
14#ListenAddress 0.0.0.0
15#ListenAddress ::
16
17#HostKey /etc/ssh/ssh_host_rsa_key
18#HostKey /etc/ssh/ssh_host_ecdsa_key
19#HostKey /etc/ssh/ssh_host_ed25519_key
20
21# Ciphers and keying
22#RekeyLimit default none
23
24# Logging
25#SyslogFacility AUTH
26#LogLevel INFO
27
28# Authentication:
29
30# For slow CPUs, bumped from 2 minutes to 10
31LoginGraceTime 600
32#PermitRootLogin prohibit-password
33#StrictModes yes
34#MaxAuthTries 6
35#MaxSessions 10
36
37#PubkeyAuthentication yes
38
39# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
40# but this is overridden so installations will only check .ssh/authorized_keys
41AuthorizedKeysFile	.ssh/authorized_keys
42
43#AuthorizedPrincipalsFile none
44
45#AuthorizedKeysCommand none
46#AuthorizedKeysCommandUser nobody
47
48# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
49#HostbasedAuthentication no
50# Change to yes if you don't trust ~/.ssh/known_hosts for
51# HostbasedAuthentication
52#IgnoreUserKnownHosts no
53# Don't read the user's ~/.rhosts and ~/.shosts files
54#IgnoreRhosts yes
55
56# To disable password authentication, set this and UsePAM to no
57#PasswordAuthentication yes
58#PermitEmptyPasswords no
59
60# Change to no to disable s/key passwords
61#KbdInteractiveAuthentication yes
62
63# Kerberos options
64#KerberosAuthentication no
65#KerberosOrLocalPasswd yes
66#KerberosTicketCleanup yes
67#KerberosGetAFSToken no
68
69# GSSAPI options
70#GSSAPIAuthentication no
71#GSSAPICleanupCredentials yes
72
73# Set this to 'yes' to enable PAM authentication, account processing,
74# and session processing. If this is enabled, PAM authentication will
75# be allowed through the KbdInteractiveAuthentication and
76# PasswordAuthentication settings.  Depending on your PAM configuration,
77# PAM authentication via KbdInteractiveAuthentication may bypass
78# the setting of "PermitRootLogin without-password".
79# If you just want the PAM account and session checks to run without
80# PAM authentication, then enable this but set PasswordAuthentication
81# and KbdInteractiveAuthentication to 'no'.
82UsePAM yes
83
84#AllowAgentForwarding yes
85#AllowTcpForwarding yes
86#GatewayPorts no
87#X11Forwarding no
88# If you use xorg from pkgsrc then uncomment the following line.
89#XAuthLocation /usr/pkg/bin/xauth
90#X11DisplayOffset 10
91#X11UseLocalhost yes
92#PermitTTY yes
93#PrintMotd yes
94#PrintLastLog yes
95#TCPKeepAlive yes
96#PermitUserEnvironment no
97#Compression delayed
98#ClientAliveInterval 0
99#ClientAliveCountMax 3
100#UseDNS no
101#PidFile /var/run/sshd.pid
102#MaxStartups 10:30:100
103#PermitTunnel no
104#ChrootDirectory none
105#VersionAddendum none
106
107# no default banner path
108#Banner none
109
110# here are the new patched ldap related tokens
111# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
112#UseLPK yes
113#LpkLdapConf /etc/ldap.conf
114#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
115#LpkUserDN   ou=users,dc=phear,dc=org
116#LpkGroupDN  ou=groups,dc=phear,dc=org
117#LpkBindDN cn=Manager,dc=phear,dc=org
118#LpkBindPw secret
119#LpkServerGroup mail
120#LpkFilter (hostAccess=master.phear.org)
121#LpkForceTLS no
122#LpkSearchTimelimit 3
123#LpkBindTimelimit 3
124#LpkPubKeyAttr sshPublicKey
125
126# override default of no subsystems
127Subsystem	sftp	/usr/libexec/sftp-server
128
129# the following are HPN related configuration options
130# tcp receive buffer polling. disable in non autotuning kernels
131#TcpRcvBufPoll yes
132
133# allow the use of the none cipher
134#NoneEnabled no
135
136# disable hpn performance boosts.
137HPNDisabled yes
138
139# buffer size for hpn to non-hpn connections
140#HPNBufferSize 2048
141
142# Example of overriding settings on a per-user basis
143#Match User anoncvs
144#	X11Forwarding no
145#	AllowTcpForwarding no
146#	PermitTTY no
147#	ForceCommand cvs server
148