xref: /dragonfly/crypto/openssh/sshd_config (revision 50a69bb5) 
150a69bb5SSascha Wildner#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
218de8d7fSPeter Avalos
318de8d7fSPeter Avalos# This is the sshd server system-wide configuration file.  See
418de8d7fSPeter Avalos# sshd_config(5) for more information.
518de8d7fSPeter Avalos
618de8d7fSPeter Avalos# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
718de8d7fSPeter Avalos
818de8d7fSPeter Avalos# The strategy used for options in the default sshd_config shipped with
918de8d7fSPeter Avalos# OpenSSH is to specify options with their default value where
101c188a7fSPeter Avalos# possible, but leave them commented.  Uncommented options override the
1118de8d7fSPeter Avalos# default value.
1218de8d7fSPeter Avalos
1318de8d7fSPeter Avalos#Port 22
1418de8d7fSPeter Avalos#AddressFamily any
1518de8d7fSPeter Avalos#ListenAddress 0.0.0.0
1618de8d7fSPeter Avalos#ListenAddress ::
1718de8d7fSPeter Avalos
1818de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_rsa_key
199f304aafSPeter Avalos#HostKey /etc/ssh/ssh_host_ecdsa_key
2036e94dc5SPeter Avalos#HostKey /etc/ssh/ssh_host_ed25519_key
2118de8d7fSPeter Avalos
2236e94dc5SPeter Avalos# Ciphers and keying
2336e94dc5SPeter Avalos#RekeyLimit default none
2436e94dc5SPeter Avalos
2518de8d7fSPeter Avalos# Logging
2618de8d7fSPeter Avalos#SyslogFacility AUTH
2718de8d7fSPeter Avalos#LogLevel INFO
2818de8d7fSPeter Avalos
2918de8d7fSPeter Avalos# Authentication:
3018de8d7fSPeter Avalos
3118de8d7fSPeter Avalos#LoginGraceTime 2m
32e9778795SPeter Avalos#PermitRootLogin prohibit-password
3318de8d7fSPeter Avalos#StrictModes yes
3418de8d7fSPeter Avalos#MaxAuthTries 6
3518de8d7fSPeter Avalos#MaxSessions 10
3618de8d7fSPeter Avalos
3718de8d7fSPeter Avalos#PubkeyAuthentication yes
381c188a7fSPeter Avalos
391c188a7fSPeter Avalos# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
401c188a7fSPeter Avalos# but this is overridden so installations will only check .ssh/authorized_keys
411c188a7fSPeter AvalosAuthorizedKeysFile	.ssh/authorized_keys
4218de8d7fSPeter Avalos
4399e85e0dSPeter Avalos#AuthorizedPrincipalsFile none
4499e85e0dSPeter Avalos
4536e94dc5SPeter Avalos#AuthorizedKeysCommand none
4636e94dc5SPeter Avalos#AuthorizedKeysCommandUser nobody
4736e94dc5SPeter Avalos
4818de8d7fSPeter Avalos# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
4918de8d7fSPeter Avalos#HostbasedAuthentication no
5018de8d7fSPeter Avalos# Change to yes if you don't trust ~/.ssh/known_hosts for
51ce74bacaSMatthew Dillon# HostbasedAuthentication
5218de8d7fSPeter Avalos#IgnoreUserKnownHosts no
5318de8d7fSPeter Avalos# Don't read the user's ~/.rhosts and ~/.shosts files
5418de8d7fSPeter Avalos#IgnoreRhosts yes
5518de8d7fSPeter Avalos
5618de8d7fSPeter Avalos# To disable tunneled clear text passwords, change to no here!
5718de8d7fSPeter AvalosPasswordAuthentication no
5818de8d7fSPeter Avalos#PermitEmptyPasswords no
5918de8d7fSPeter Avalos
6018de8d7fSPeter Avalos# Change to no to disable s/key passwords
6150a69bb5SSascha Wildner#KbdInteractiveAuthentication yes
6218de8d7fSPeter Avalos
6318de8d7fSPeter Avalos# Kerberos options
6418de8d7fSPeter Avalos#KerberosAuthentication no
6518de8d7fSPeter Avalos#KerberosOrLocalPasswd yes
6618de8d7fSPeter Avalos#KerberosTicketCleanup yes
6718de8d7fSPeter Avalos#KerberosGetAFSToken no
6818de8d7fSPeter Avalos
6918de8d7fSPeter Avalos# GSSAPI options
7018de8d7fSPeter Avalos#GSSAPIAuthentication no
7118de8d7fSPeter Avalos#GSSAPICleanupCredentials yes
7218de8d7fSPeter Avalos
7318de8d7fSPeter Avalos# Set this to 'yes' to enable PAM authentication, account processing,
7418de8d7fSPeter Avalos# and session processing. If this is enabled, PAM authentication will
7550a69bb5SSascha Wildner# be allowed through the KbdInteractiveAuthentication and
7618de8d7fSPeter Avalos# PasswordAuthentication.  Depending on your PAM configuration,
7750a69bb5SSascha Wildner# PAM authentication via KbdInteractiveAuthentication may bypass
7818de8d7fSPeter Avalos# the setting of "PermitRootLogin without-password".
7918de8d7fSPeter Avalos# If you just want the PAM account and session checks to run without
8018de8d7fSPeter Avalos# PAM authentication, then enable this but set PasswordAuthentication
8150a69bb5SSascha Wildner# and KbdInteractiveAuthentication to 'no'.
8218de8d7fSPeter Avalos#UsePAM no
8318de8d7fSPeter Avalos
8418de8d7fSPeter Avalos#AllowAgentForwarding yes
8518de8d7fSPeter Avalos#AllowTcpForwarding yes
8618de8d7fSPeter Avalos#GatewayPorts no
8718de8d7fSPeter Avalos#X11Forwarding no
8818de8d7fSPeter Avalos#X11DisplayOffset 10
8918de8d7fSPeter Avalos#X11UseLocalhost yes
9036e94dc5SPeter Avalos#PermitTTY yes
9118de8d7fSPeter Avalos#PrintMotd yes
9218de8d7fSPeter Avalos#PrintLastLog yes
9318de8d7fSPeter Avalos#TCPKeepAlive yes
9418de8d7fSPeter Avalos#PermitUserEnvironment no
9518de8d7fSPeter Avalos#Compression delayed
9618de8d7fSPeter Avalos#ClientAliveInterval 0
9718de8d7fSPeter Avalos#ClientAliveCountMax 3
98e9778795SPeter Avalos#UseDNS no
9918de8d7fSPeter Avalos#PidFile /var/run/sshd.pid
10036e94dc5SPeter Avalos#MaxStartups 10:30:100
10118de8d7fSPeter Avalos#PermitTunnel no
10218de8d7fSPeter Avalos#ChrootDirectory none
10399e85e0dSPeter Avalos#VersionAddendum none
10418de8d7fSPeter Avalos
10518de8d7fSPeter Avalos# no default banner path
10618de8d7fSPeter Avalos#Banner none
10718de8d7fSPeter Avalos
10818de8d7fSPeter Avalos# override default of no subsystems
10918de8d7fSPeter AvalosSubsystem	sftp	/usr/libexec/sftp-server
11018de8d7fSPeter Avalos
11118de8d7fSPeter Avalos# Example of overriding settings on a per-user basis
11218de8d7fSPeter Avalos#Match User anoncvs
11318de8d7fSPeter Avalos#	X11Forwarding no
11418de8d7fSPeter Avalos#	AllowTcpForwarding no
11536e94dc5SPeter Avalos#	PermitTTY no
11618de8d7fSPeter Avalos#	ForceCommand cvs server
117