150a69bb5SSascha Wildner# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ 218de8d7fSPeter Avalos 318de8d7fSPeter Avalos# This is the sshd server system-wide configuration file. See 418de8d7fSPeter Avalos# sshd_config(5) for more information. 518de8d7fSPeter Avalos 618de8d7fSPeter Avalos# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 718de8d7fSPeter Avalos 818de8d7fSPeter Avalos# The strategy used for options in the default sshd_config shipped with 918de8d7fSPeter Avalos# OpenSSH is to specify options with their default value where 101c188a7fSPeter Avalos# possible, but leave them commented. Uncommented options override the 1118de8d7fSPeter Avalos# default value. 1218de8d7fSPeter Avalos 1318de8d7fSPeter Avalos#Port 22 1418de8d7fSPeter Avalos#AddressFamily any 1518de8d7fSPeter Avalos#ListenAddress 0.0.0.0 1618de8d7fSPeter Avalos#ListenAddress :: 1718de8d7fSPeter Avalos 1818de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_rsa_key 199f304aafSPeter Avalos#HostKey /etc/ssh/ssh_host_ecdsa_key 2036e94dc5SPeter Avalos#HostKey /etc/ssh/ssh_host_ed25519_key 2118de8d7fSPeter Avalos 2236e94dc5SPeter Avalos# Ciphers and keying 2336e94dc5SPeter Avalos#RekeyLimit default none 2436e94dc5SPeter Avalos 2518de8d7fSPeter Avalos# Logging 2618de8d7fSPeter Avalos#SyslogFacility AUTH 2718de8d7fSPeter Avalos#LogLevel INFO 2818de8d7fSPeter Avalos 2918de8d7fSPeter Avalos# Authentication: 3018de8d7fSPeter Avalos 3118de8d7fSPeter Avalos#LoginGraceTime 2m 32e9778795SPeter Avalos#PermitRootLogin prohibit-password 3318de8d7fSPeter Avalos#StrictModes yes 3418de8d7fSPeter Avalos#MaxAuthTries 6 3518de8d7fSPeter Avalos#MaxSessions 10 3618de8d7fSPeter Avalos 3718de8d7fSPeter Avalos#PubkeyAuthentication yes 381c188a7fSPeter Avalos 391c188a7fSPeter Avalos# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 401c188a7fSPeter Avalos# but this is overridden so installations will only check .ssh/authorized_keys 411c188a7fSPeter AvalosAuthorizedKeysFile .ssh/authorized_keys 4218de8d7fSPeter Avalos 4399e85e0dSPeter Avalos#AuthorizedPrincipalsFile none 4499e85e0dSPeter Avalos 4536e94dc5SPeter Avalos#AuthorizedKeysCommand none 4636e94dc5SPeter Avalos#AuthorizedKeysCommandUser nobody 4736e94dc5SPeter Avalos 4818de8d7fSPeter Avalos# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 4918de8d7fSPeter Avalos#HostbasedAuthentication no 5018de8d7fSPeter Avalos# Change to yes if you don't trust ~/.ssh/known_hosts for 51ce74bacaSMatthew Dillon# HostbasedAuthentication 5218de8d7fSPeter Avalos#IgnoreUserKnownHosts no 5318de8d7fSPeter Avalos# Don't read the user's ~/.rhosts and ~/.shosts files 5418de8d7fSPeter Avalos#IgnoreRhosts yes 5518de8d7fSPeter Avalos 5618de8d7fSPeter Avalos# To disable tunneled clear text passwords, change to no here! 5718de8d7fSPeter AvalosPasswordAuthentication no 5818de8d7fSPeter Avalos#PermitEmptyPasswords no 5918de8d7fSPeter Avalos 6018de8d7fSPeter Avalos# Change to no to disable s/key passwords 6150a69bb5SSascha Wildner#KbdInteractiveAuthentication yes 6218de8d7fSPeter Avalos 6318de8d7fSPeter Avalos# Kerberos options 6418de8d7fSPeter Avalos#KerberosAuthentication no 6518de8d7fSPeter Avalos#KerberosOrLocalPasswd yes 6618de8d7fSPeter Avalos#KerberosTicketCleanup yes 6718de8d7fSPeter Avalos#KerberosGetAFSToken no 6818de8d7fSPeter Avalos 6918de8d7fSPeter Avalos# GSSAPI options 7018de8d7fSPeter Avalos#GSSAPIAuthentication no 7118de8d7fSPeter Avalos#GSSAPICleanupCredentials yes 7218de8d7fSPeter Avalos 7318de8d7fSPeter Avalos# Set this to 'yes' to enable PAM authentication, account processing, 7418de8d7fSPeter Avalos# and session processing. If this is enabled, PAM authentication will 7550a69bb5SSascha Wildner# be allowed through the KbdInteractiveAuthentication and 7618de8d7fSPeter Avalos# PasswordAuthentication. Depending on your PAM configuration, 7750a69bb5SSascha Wildner# PAM authentication via KbdInteractiveAuthentication may bypass 7818de8d7fSPeter Avalos# the setting of "PermitRootLogin without-password". 7918de8d7fSPeter Avalos# If you just want the PAM account and session checks to run without 8018de8d7fSPeter Avalos# PAM authentication, then enable this but set PasswordAuthentication 8150a69bb5SSascha Wildner# and KbdInteractiveAuthentication to 'no'. 8218de8d7fSPeter Avalos#UsePAM no 8318de8d7fSPeter Avalos 8418de8d7fSPeter Avalos#AllowAgentForwarding yes 8518de8d7fSPeter Avalos#AllowTcpForwarding yes 8618de8d7fSPeter Avalos#GatewayPorts no 8718de8d7fSPeter Avalos#X11Forwarding no 8818de8d7fSPeter Avalos#X11DisplayOffset 10 8918de8d7fSPeter Avalos#X11UseLocalhost yes 9036e94dc5SPeter Avalos#PermitTTY yes 9118de8d7fSPeter Avalos#PrintMotd yes 9218de8d7fSPeter Avalos#PrintLastLog yes 9318de8d7fSPeter Avalos#TCPKeepAlive yes 9418de8d7fSPeter Avalos#PermitUserEnvironment no 9518de8d7fSPeter Avalos#Compression delayed 9618de8d7fSPeter Avalos#ClientAliveInterval 0 9718de8d7fSPeter Avalos#ClientAliveCountMax 3 98e9778795SPeter Avalos#UseDNS no 9918de8d7fSPeter Avalos#PidFile /var/run/sshd.pid 10036e94dc5SPeter Avalos#MaxStartups 10:30:100 10118de8d7fSPeter Avalos#PermitTunnel no 10218de8d7fSPeter Avalos#ChrootDirectory none 10399e85e0dSPeter Avalos#VersionAddendum none 10418de8d7fSPeter Avalos 10518de8d7fSPeter Avalos# no default banner path 10618de8d7fSPeter Avalos#Banner none 10718de8d7fSPeter Avalos 10818de8d7fSPeter Avalos# override default of no subsystems 10918de8d7fSPeter AvalosSubsystem sftp /usr/libexec/sftp-server 11018de8d7fSPeter Avalos 11118de8d7fSPeter Avalos# Example of overriding settings on a per-user basis 11218de8d7fSPeter Avalos#Match User anoncvs 11318de8d7fSPeter Avalos# X11Forwarding no 11418de8d7fSPeter Avalos# AllowTcpForwarding no 11536e94dc5SPeter Avalos# PermitTTY no 11618de8d7fSPeter Avalos# ForceCommand cvs server 117