1# $OpenBSD: sshd_config,v 1.94 2015/02/02 01:57:44 deraadt Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18# The default requires explicit activation of protocol 1 19#Protocol 2 20 21# HostKey for protocol version 1 22#HostKey /etc/ssh/ssh_host_key 23# HostKeys for protocol version 2 24#HostKey /etc/ssh/ssh_host_rsa_key 25#HostKey /etc/ssh/ssh_host_dsa_key 26#HostKey /etc/ssh/ssh_host_ecdsa_key 27#HostKey /etc/ssh/ssh_host_ed25519_key 28 29# Lifetime and size of ephemeral version 1 server key 30#KeyRegenerationInterval 1h 31#ServerKeyBits 1024 32 33# Ciphers and keying 34#RekeyLimit default none 35 36# Logging 37# obsoletes QuietMode and FascistLogging 38#SyslogFacility AUTH 39#LogLevel INFO 40 41# Authentication: 42 43#LoginGraceTime 2m 44#PermitRootLogin yes 45#StrictModes yes 46#MaxAuthTries 6 47#MaxSessions 10 48 49#RSAAuthentication yes 50#PubkeyAuthentication yes 51 52# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 53# but this is overridden so installations will only check .ssh/authorized_keys 54AuthorizedKeysFile .ssh/authorized_keys 55 56#AuthorizedPrincipalsFile none 57 58#AuthorizedKeysCommand none 59#AuthorizedKeysCommandUser nobody 60 61# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 62#RhostsRSAAuthentication no 63# similar for protocol version 2 64#HostbasedAuthentication no 65# Change to yes if you don't trust ~/.ssh/known_hosts for 66# RhostsRSAAuthentication and HostbasedAuthentication 67#IgnoreUserKnownHosts no 68# Don't read the user's ~/.rhosts and ~/.shosts files 69#IgnoreRhosts yes 70 71# To disable tunneled clear text passwords, change to no here! 72#PasswordAuthentication yes 73#PermitEmptyPasswords no 74 75# Change to no to disable s/key passwords 76#ChallengeResponseAuthentication yes 77 78# Kerberos options 79#KerberosAuthentication no 80#KerberosOrLocalPasswd yes 81#KerberosTicketCleanup yes 82#KerberosGetAFSToken no 83 84# GSSAPI options 85#GSSAPIAuthentication no 86#GSSAPICleanupCredentials yes 87 88# Set this to 'yes' to enable PAM authentication, account processing, 89# and session processing. If this is enabled, PAM authentication will 90# be allowed through the ChallengeResponseAuthentication and 91# PasswordAuthentication. Depending on your PAM configuration, 92# PAM authentication via ChallengeResponseAuthentication may bypass 93# the setting of "PermitRootLogin without-password". 94# If you just want the PAM account and session checks to run without 95# PAM authentication, then enable this but set PasswordAuthentication 96# and ChallengeResponseAuthentication to 'no'. 97#UsePAM no 98 99#AllowAgentForwarding yes 100#AllowTcpForwarding yes 101#GatewayPorts no 102#X11Forwarding no 103#X11DisplayOffset 10 104#X11UseLocalhost yes 105#PermitTTY yes 106#PrintMotd yes 107#PrintLastLog yes 108#TCPKeepAlive yes 109#UseLogin no 110UsePrivilegeSeparation sandbox # Default for new installations. 111#PermitUserEnvironment no 112#Compression delayed 113#ClientAliveInterval 0 114#ClientAliveCountMax 3 115#UseDNS no 116#PidFile /var/run/sshd.pid 117#MaxStartups 10:30:100 118#PermitTunnel no 119#ChrootDirectory none 120#VersionAddendum none 121 122# no default banner path 123#Banner none 124 125# override default of no subsystems 126Subsystem sftp /usr/libexec/sftp-server 127 128# Example of overriding settings on a per-user basis 129#Match User anoncvs 130# X11Forwarding no 131# AllowTcpForwarding no 132# PermitTTY no 133# ForceCommand cvs server 134