1#	$OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented.  Uncommented options override the
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18# The default requires explicit activation of protocol 1
19Protocol 2
20
21# HostKey for protocol version 1
22#HostKey /etc/ssh/ssh_host_key
23# HostKeys for protocol version 2
24HostKey /data/ssh/ssh_host_rsa_key
25HostKey /data/ssh/ssh_host_dsa_key
26
27# Lifetime and size of ephemeral version 1 server key
28#KeyRegenerationInterval 1h
29#ServerKeyBits 1024
30
31# Logging
32# obsoletes QuietMode and FascistLogging
33#SyslogFacility AUTH
34#LogLevel INFO
35
36# Authentication:
37
38#LoginGraceTime 2m
39#PermitRootLogin yes
40#StrictModes yes
41#MaxAuthTries 6
42#MaxSessions 10
43
44#RSAAuthentication yes
45#PubkeyAuthentication yes
46
47# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
48# but this is overridden so installations will only check .ssh/authorized_keys
49AuthorizedKeysFile	/data/ssh/authorized_keys
50
51# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
52#RhostsRSAAuthentication no
53# similar for protocol version 2
54#HostbasedAuthentication no
55# Change to yes if you don't trust ~/.ssh/known_hosts for
56# RhostsRSAAuthentication and HostbasedAuthentication
57#IgnoreUserKnownHosts no
58# Don't read the user's ~/.rhosts and ~/.shosts files
59#IgnoreRhosts yes
60
61# To disable tunneled clear text passwords, change to no here!
62PasswordAuthentication no
63#PermitEmptyPasswords no
64
65# Change to no to disable s/key passwords
66#ChallengeResponseAuthentication yes
67
68# Kerberos options
69#KerberosAuthentication no
70#KerberosOrLocalPasswd yes
71#KerberosTicketCleanup yes
72#KerberosGetAFSToken no
73
74# GSSAPI options
75#GSSAPIAuthentication no
76#GSSAPICleanupCredentials yes
77
78# Set this to 'yes' to enable PAM authentication, account processing,
79# and session processing. If this is enabled, PAM authentication will
80# be allowed through the ChallengeResponseAuthentication and
81# PasswordAuthentication.  Depending on your PAM configuration,
82# PAM authentication via ChallengeResponseAuthentication may bypass
83# the setting of "PermitRootLogin without-password".
84# If you just want the PAM account and session checks to run without
85# PAM authentication, then enable this but set PasswordAuthentication
86# and ChallengeResponseAuthentication to 'no'.
87#UsePAM no
88
89#AllowAgentForwarding yes
90#AllowTcpForwarding yes
91#GatewayPorts no
92#X11Forwarding no
93#X11DisplayOffset 10
94#X11UseLocalhost yes
95#PrintMotd yes
96#PrintLastLog yes
97#TCPKeepAlive yes
98#UseLogin no
99#UsePrivilegeSeparation yes
100#PermitUserEnvironment no
101#Compression delayed
102#ClientAliveInterval 0
103#ClientAliveCountMax 3
104#UseDNS yes
105#PidFile /var/run/sshd.pid
106#MaxStartups 10
107#PermitTunnel no
108#ChrootDirectory none
109
110# no default banner path
111#Banner none
112
113# override default of no subsystems
114Subsystem	sftp	/usr/libexec/sftp-server
115
116# Example of overriding settings on a per-user basis
117#Match User anoncvs
118#	X11Forwarding no
119#	AllowTcpForwarding no
120#	ForceCommand cvs server
121