1#	$OpenBSD: sshd_config,v 1.94 2015/02/02 01:57:44 deraadt Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented.  Uncommented options override the
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18# The default requires explicit activation of protocol 1
19#Protocol 2
20
21# HostKey for protocol version 1
22#HostKey /etc/ssh/ssh_host_key
23# HostKeys for protocol version 2
24#HostKey /etc/ssh/ssh_host_rsa_key
25#HostKey /etc/ssh/ssh_host_dsa_key
26#HostKey /etc/ssh/ssh_host_ecdsa_key
27#HostKey /etc/ssh/ssh_host_ed25519_key
28
29# Lifetime and size of ephemeral version 1 server key
30#KeyRegenerationInterval 1h
31#ServerKeyBits 1024
32
33# Ciphers and keying
34#RekeyLimit default none
35
36# Logging
37# obsoletes QuietMode and FascistLogging
38#SyslogFacility AUTH
39#LogLevel INFO
40
41# Authentication:
42
43#LoginGraceTime 2m
44#PermitRootLogin yes
45#StrictModes yes
46#MaxAuthTries 6
47#MaxSessions 10
48
49#RSAAuthentication yes
50#PubkeyAuthentication yes
51
52# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
53# but this is overridden so installations will only check .ssh/authorized_keys
54AuthorizedKeysFile	.ssh/authorized_keys
55
56#AuthorizedPrincipalsFile none
57
58#AuthorizedKeysCommand none
59#AuthorizedKeysCommandUser nobody
60
61# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
62#RhostsRSAAuthentication no
63# similar for protocol version 2
64#HostbasedAuthentication no
65# Change to yes if you don't trust ~/.ssh/known_hosts for
66# RhostsRSAAuthentication and HostbasedAuthentication
67#IgnoreUserKnownHosts no
68# Don't read the user's ~/.rhosts and ~/.shosts files
69#IgnoreRhosts yes
70
71# To disable tunneled clear text passwords, change to no here!
72#PasswordAuthentication yes
73#PermitEmptyPasswords no
74
75# Change to no to disable s/key passwords
76#ChallengeResponseAuthentication yes
77
78# Kerberos options
79#KerberosAuthentication no
80#KerberosOrLocalPasswd yes
81#KerberosTicketCleanup yes
82#KerberosGetAFSToken no
83
84# GSSAPI options
85#GSSAPIAuthentication no
86#GSSAPICleanupCredentials yes
87
88# Set this to 'yes' to enable PAM authentication, account processing,
89# and session processing. If this is enabled, PAM authentication will
90# be allowed through the ChallengeResponseAuthentication and
91# PasswordAuthentication.  Depending on your PAM configuration,
92# PAM authentication via ChallengeResponseAuthentication may bypass
93# the setting of "PermitRootLogin without-password".
94# If you just want the PAM account and session checks to run without
95# PAM authentication, then enable this but set PasswordAuthentication
96# and ChallengeResponseAuthentication to 'no'.
97#UsePAM no
98
99#AllowAgentForwarding yes
100#AllowTcpForwarding yes
101#GatewayPorts no
102#X11Forwarding no
103#X11DisplayOffset 10
104#X11UseLocalhost yes
105#PermitTTY yes
106#PrintMotd yes
107#PrintLastLog yes
108#TCPKeepAlive yes
109#UseLogin no
110UsePrivilegeSeparation sandbox		# Default for new installations.
111#PermitUserEnvironment no
112#Compression delayed
113#ClientAliveInterval 0
114#ClientAliveCountMax 3
115#UseDNS no
116#PidFile /var/run/sshd.pid
117#MaxStartups 10:30:100
118#PermitTunnel no
119#ChrootDirectory none
120#VersionAddendum none
121
122# no default banner path
123#Banner none
124
125# override default of no subsystems
126Subsystem	sftp	/usr/libexec/sftp-server
127
128# Example of overriding settings on a per-user basis
129#Match User anoncvs
130#	X11Forwarding no
131#	AllowTcpForwarding no
132#	PermitTTY no
133#	ForceCommand cvs server
134