1*18de8d7fSPeter Avalos# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ 2*18de8d7fSPeter Avalos 3*18de8d7fSPeter Avalos# This is the sshd server system-wide configuration file. See 4*18de8d7fSPeter Avalos# sshd_config(5) for more information. 5*18de8d7fSPeter Avalos 6*18de8d7fSPeter Avalos# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7*18de8d7fSPeter Avalos 8*18de8d7fSPeter Avalos# The strategy used for options in the default sshd_config shipped with 9*18de8d7fSPeter Avalos# OpenSSH is to specify options with their default value where 10*18de8d7fSPeter Avalos# possible, but leave them commented. Uncommented options change a 11*18de8d7fSPeter Avalos# default value. 12*18de8d7fSPeter Avalos 13*18de8d7fSPeter Avalos#Port 22 14*18de8d7fSPeter Avalos#AddressFamily any 15*18de8d7fSPeter Avalos#ListenAddress 0.0.0.0 16*18de8d7fSPeter Avalos#ListenAddress :: 17*18de8d7fSPeter Avalos 18*18de8d7fSPeter Avalos# Disable legacy (protocol version 1) support in the server for new 19*18de8d7fSPeter Avalos# installations. In future the default will change to require explicit 20*18de8d7fSPeter Avalos# activation of protocol 1 21*18de8d7fSPeter AvalosProtocol 2 22*18de8d7fSPeter Avalos 23*18de8d7fSPeter Avalos# HostKey for protocol version 1 24*18de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_key 25*18de8d7fSPeter Avalos# HostKeys for protocol version 2 26*18de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_rsa_key 27*18de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_dsa_key 28*18de8d7fSPeter Avalos 29*18de8d7fSPeter Avalos# Lifetime and size of ephemeral version 1 server key 30*18de8d7fSPeter Avalos#KeyRegenerationInterval 1h 31*18de8d7fSPeter Avalos#ServerKeyBits 1024 32*18de8d7fSPeter Avalos 33*18de8d7fSPeter Avalos# Logging 34*18de8d7fSPeter Avalos# obsoletes QuietMode and FascistLogging 35*18de8d7fSPeter Avalos#SyslogFacility AUTH 36*18de8d7fSPeter Avalos#LogLevel INFO 37*18de8d7fSPeter Avalos 38*18de8d7fSPeter Avalos# Authentication: 39*18de8d7fSPeter Avalos 40*18de8d7fSPeter Avalos#LoginGraceTime 2m 41*18de8d7fSPeter Avalos#PermitRootLogin yes 42*18de8d7fSPeter Avalos#StrictModes yes 43*18de8d7fSPeter Avalos#MaxAuthTries 6 44*18de8d7fSPeter Avalos#MaxSessions 10 45*18de8d7fSPeter Avalos 46*18de8d7fSPeter Avalos#RSAAuthentication yes 47*18de8d7fSPeter Avalos#PubkeyAuthentication yes 48*18de8d7fSPeter Avalos#AuthorizedKeysFile .ssh/authorized_keys 49*18de8d7fSPeter Avalos 50*18de8d7fSPeter Avalos# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 51*18de8d7fSPeter Avalos#RhostsRSAAuthentication no 52*18de8d7fSPeter Avalos# similar for protocol version 2 53*18de8d7fSPeter Avalos#HostbasedAuthentication no 54*18de8d7fSPeter Avalos# Change to yes if you don't trust ~/.ssh/known_hosts for 55*18de8d7fSPeter Avalos# RhostsRSAAuthentication and HostbasedAuthentication 56*18de8d7fSPeter Avalos#IgnoreUserKnownHosts no 57*18de8d7fSPeter Avalos# Don't read the user's ~/.rhosts and ~/.shosts files 58*18de8d7fSPeter Avalos#IgnoreRhosts yes 59*18de8d7fSPeter Avalos 60*18de8d7fSPeter Avalos# To disable tunneled clear text passwords, change to no here! 61*18de8d7fSPeter Avalos#PasswordAuthentication yes 62*18de8d7fSPeter Avalos#PermitEmptyPasswords no 63*18de8d7fSPeter Avalos 64*18de8d7fSPeter Avalos# Change to no to disable s/key passwords 65*18de8d7fSPeter Avalos#ChallengeResponseAuthentication yes 66*18de8d7fSPeter Avalos 67*18de8d7fSPeter Avalos# Kerberos options 68*18de8d7fSPeter Avalos#KerberosAuthentication no 69*18de8d7fSPeter Avalos#KerberosOrLocalPasswd yes 70*18de8d7fSPeter Avalos#KerberosTicketCleanup yes 71*18de8d7fSPeter Avalos#KerberosGetAFSToken no 72*18de8d7fSPeter Avalos 73*18de8d7fSPeter Avalos# GSSAPI options 74*18de8d7fSPeter Avalos#GSSAPIAuthentication no 75*18de8d7fSPeter Avalos#GSSAPICleanupCredentials yes 76*18de8d7fSPeter Avalos 77*18de8d7fSPeter Avalos# Set this to 'yes' to enable PAM authentication, account processing, 78*18de8d7fSPeter Avalos# and session processing. If this is enabled, PAM authentication will 79*18de8d7fSPeter Avalos# be allowed through the ChallengeResponseAuthentication and 80*18de8d7fSPeter Avalos# PasswordAuthentication. Depending on your PAM configuration, 81*18de8d7fSPeter Avalos# PAM authentication via ChallengeResponseAuthentication may bypass 82*18de8d7fSPeter Avalos# the setting of "PermitRootLogin without-password". 83*18de8d7fSPeter Avalos# If you just want the PAM account and session checks to run without 84*18de8d7fSPeter Avalos# PAM authentication, then enable this but set PasswordAuthentication 85*18de8d7fSPeter Avalos# and ChallengeResponseAuthentication to 'no'. 86*18de8d7fSPeter Avalos#UsePAM no 87*18de8d7fSPeter Avalos 88*18de8d7fSPeter Avalos#AllowAgentForwarding yes 89*18de8d7fSPeter Avalos#AllowTcpForwarding yes 90*18de8d7fSPeter Avalos#GatewayPorts no 91*18de8d7fSPeter Avalos#X11Forwarding no 92*18de8d7fSPeter Avalos#X11DisplayOffset 10 93*18de8d7fSPeter Avalos#X11UseLocalhost yes 94*18de8d7fSPeter Avalos#PrintMotd yes 95*18de8d7fSPeter Avalos#PrintLastLog yes 96*18de8d7fSPeter Avalos#TCPKeepAlive yes 97*18de8d7fSPeter Avalos#UseLogin no 98*18de8d7fSPeter Avalos#UsePrivilegeSeparation yes 99*18de8d7fSPeter Avalos#PermitUserEnvironment no 100*18de8d7fSPeter Avalos#Compression delayed 101*18de8d7fSPeter Avalos#ClientAliveInterval 0 102*18de8d7fSPeter Avalos#ClientAliveCountMax 3 103*18de8d7fSPeter Avalos#UseDNS yes 104*18de8d7fSPeter Avalos#PidFile /var/run/sshd.pid 105*18de8d7fSPeter Avalos#MaxStartups 10 106*18de8d7fSPeter Avalos#PermitTunnel no 107*18de8d7fSPeter Avalos#ChrootDirectory none 108*18de8d7fSPeter Avalos 109*18de8d7fSPeter Avalos# no default banner path 110*18de8d7fSPeter Avalos#Banner none 111*18de8d7fSPeter Avalos 112*18de8d7fSPeter Avalos# override default of no subsystems 113*18de8d7fSPeter AvalosSubsystem sftp /usr/libexec/sftp-server 114*18de8d7fSPeter Avalos 115*18de8d7fSPeter Avalos# Example of overriding settings on a per-user basis 116*18de8d7fSPeter Avalos#Match User anoncvs 117*18de8d7fSPeter Avalos# X11Forwarding no 118*18de8d7fSPeter Avalos# AllowTcpForwarding no 119*18de8d7fSPeter Avalos# ForceCommand cvs server 120