1#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented.  Uncommented options override the
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18#HostKey /etc/ssh/ssh_host_rsa_key
19#HostKey /etc/ssh/ssh_host_ecdsa_key
20#HostKey /etc/ssh/ssh_host_ed25519_key
21
22# Ciphers and keying
23#RekeyLimit default none
24
25# Logging
26#SyslogFacility AUTH
27#LogLevel INFO
28
29# Authentication:
30
31#LoginGraceTime 2m
32#PermitRootLogin prohibit-password
33#StrictModes yes
34#MaxAuthTries 6
35#MaxSessions 10
36
37#PubkeyAuthentication yes
38
39# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
40# but this is overridden so installations will only check .ssh/authorized_keys
41AuthorizedKeysFile	.ssh/authorized_keys
42
43#AuthorizedPrincipalsFile none
44
45#AuthorizedKeysCommand none
46#AuthorizedKeysCommandUser nobody
47
48# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
49#HostbasedAuthentication no
50# Change to yes if you don't trust ~/.ssh/known_hosts for
51# HostbasedAuthentication
52#IgnoreUserKnownHosts no
53# Don't read the user's ~/.rhosts and ~/.shosts files
54#IgnoreRhosts yes
55
56# To disable tunneled clear text passwords, change to no here!
57#PasswordAuthentication yes
58#PermitEmptyPasswords no
59
60# Change to no to disable s/key passwords
61#ChallengeResponseAuthentication yes
62
63# Kerberos options
64#KerberosAuthentication no
65#KerberosOrLocalPasswd yes
66#KerberosTicketCleanup yes
67#KerberosGetAFSToken no
68
69# GSSAPI options
70#GSSAPIAuthentication no
71#GSSAPICleanupCredentials yes
72
73# Set this to 'yes' to enable PAM authentication, account processing,
74# and session processing. If this is enabled, PAM authentication will
75# be allowed through the ChallengeResponseAuthentication and
76# PasswordAuthentication.  Depending on your PAM configuration,
77# PAM authentication via ChallengeResponseAuthentication may bypass
78# the setting of "PermitRootLogin without-password".
79# If you just want the PAM account and session checks to run without
80# PAM authentication, then enable this but set PasswordAuthentication
81# and ChallengeResponseAuthentication to 'no'.
82#UsePAM no
83
84#AllowAgentForwarding yes
85#AllowTcpForwarding yes
86#GatewayPorts no
87#X11Forwarding no
88#X11DisplayOffset 10
89#X11UseLocalhost yes
90#PermitTTY yes
91#PrintMotd yes
92#PrintLastLog yes
93#TCPKeepAlive yes
94#PermitUserEnvironment no
95#Compression delayed
96#ClientAliveInterval 0
97#ClientAliveCountMax 3
98#UseDNS no
99#PidFile /var/run/sshd.pid
100#MaxStartups 10:30:100
101#PermitTunnel no
102#ChrootDirectory none
103#VersionAddendum none
104
105# no default banner path
106#Banner none
107
108# override default of no subsystems
109Subsystem	sftp	/usr/libexec/sftp-server
110
111# Example of overriding settings on a per-user basis
112#Match User anoncvs
113#	X11Forwarding no
114#	AllowTcpForwarding no
115#	PermitTTY no
116#	ForceCommand cvs server
117