1ce74bacaSMatthew Dillon# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ 218de8d7fSPeter Avalos 318de8d7fSPeter Avalos# This is the sshd server system-wide configuration file. See 418de8d7fSPeter Avalos# sshd_config(5) for more information. 518de8d7fSPeter Avalos 618de8d7fSPeter Avalos# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 718de8d7fSPeter Avalos 818de8d7fSPeter Avalos# The strategy used for options in the default sshd_config shipped with 918de8d7fSPeter Avalos# OpenSSH is to specify options with their default value where 101c188a7fSPeter Avalos# possible, but leave them commented. Uncommented options override the 1118de8d7fSPeter Avalos# default value. 1218de8d7fSPeter Avalos 1318de8d7fSPeter Avalos#Port 22 1418de8d7fSPeter Avalos#AddressFamily any 1518de8d7fSPeter Avalos#ListenAddress 0.0.0.0 1618de8d7fSPeter Avalos#ListenAddress :: 1718de8d7fSPeter Avalos 1818de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_rsa_key 1918de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_dsa_key 209f304aafSPeter Avalos#HostKey /etc/ssh/ssh_host_ecdsa_key 2136e94dc5SPeter Avalos#HostKey /etc/ssh/ssh_host_ed25519_key 2218de8d7fSPeter Avalos 2336e94dc5SPeter Avalos# Ciphers and keying 2436e94dc5SPeter Avalos#RekeyLimit default none 2536e94dc5SPeter Avalos 2618de8d7fSPeter Avalos# Logging 2718de8d7fSPeter Avalos#SyslogFacility AUTH 2818de8d7fSPeter Avalos#LogLevel INFO 2918de8d7fSPeter Avalos 3018de8d7fSPeter Avalos# Authentication: 3118de8d7fSPeter Avalos 3218de8d7fSPeter Avalos#LoginGraceTime 2m 33e9778795SPeter Avalos#PermitRootLogin prohibit-password 3418de8d7fSPeter Avalos#StrictModes yes 3518de8d7fSPeter Avalos#MaxAuthTries 6 3618de8d7fSPeter Avalos#MaxSessions 10 3718de8d7fSPeter Avalos 3818de8d7fSPeter Avalos#PubkeyAuthentication yes 391c188a7fSPeter Avalos 401c188a7fSPeter Avalos# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 411c188a7fSPeter Avalos# but this is overridden so installations will only check .ssh/authorized_keys 421c188a7fSPeter AvalosAuthorizedKeysFile .ssh/authorized_keys 4318de8d7fSPeter Avalos 4499e85e0dSPeter Avalos#AuthorizedPrincipalsFile none 4599e85e0dSPeter Avalos 4636e94dc5SPeter Avalos#AuthorizedKeysCommand none 4736e94dc5SPeter Avalos#AuthorizedKeysCommandUser nobody 4836e94dc5SPeter Avalos 4918de8d7fSPeter Avalos# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 5018de8d7fSPeter Avalos#HostbasedAuthentication no 5118de8d7fSPeter Avalos# Change to yes if you don't trust ~/.ssh/known_hosts for 52ce74bacaSMatthew Dillon# HostbasedAuthentication 5318de8d7fSPeter Avalos#IgnoreUserKnownHosts no 5418de8d7fSPeter Avalos# Don't read the user's ~/.rhosts and ~/.shosts files 5518de8d7fSPeter Avalos#IgnoreRhosts yes 5618de8d7fSPeter Avalos 5718de8d7fSPeter Avalos# To disable tunneled clear text passwords, change to no here! 5818de8d7fSPeter Avalos#PasswordAuthentication yes 5918de8d7fSPeter Avalos#PermitEmptyPasswords no 6018de8d7fSPeter Avalos 6118de8d7fSPeter Avalos# Change to no to disable s/key passwords 6218de8d7fSPeter Avalos#ChallengeResponseAuthentication yes 6318de8d7fSPeter Avalos 6418de8d7fSPeter Avalos# Kerberos options 6518de8d7fSPeter Avalos#KerberosAuthentication no 6618de8d7fSPeter Avalos#KerberosOrLocalPasswd yes 6718de8d7fSPeter Avalos#KerberosTicketCleanup yes 6818de8d7fSPeter Avalos#KerberosGetAFSToken no 6918de8d7fSPeter Avalos 7018de8d7fSPeter Avalos# GSSAPI options 7118de8d7fSPeter Avalos#GSSAPIAuthentication no 7218de8d7fSPeter Avalos#GSSAPICleanupCredentials yes 7318de8d7fSPeter Avalos 7418de8d7fSPeter Avalos# Set this to 'yes' to enable PAM authentication, account processing, 7518de8d7fSPeter Avalos# and session processing. If this is enabled, PAM authentication will 7618de8d7fSPeter Avalos# be allowed through the ChallengeResponseAuthentication and 7718de8d7fSPeter Avalos# PasswordAuthentication. Depending on your PAM configuration, 7818de8d7fSPeter Avalos# PAM authentication via ChallengeResponseAuthentication may bypass 7918de8d7fSPeter Avalos# the setting of "PermitRootLogin without-password". 8018de8d7fSPeter Avalos# If you just want the PAM account and session checks to run without 8118de8d7fSPeter Avalos# PAM authentication, then enable this but set PasswordAuthentication 8218de8d7fSPeter Avalos# and ChallengeResponseAuthentication to 'no'. 8318de8d7fSPeter Avalos#UsePAM no 8418de8d7fSPeter Avalos 8518de8d7fSPeter Avalos#AllowAgentForwarding yes 8618de8d7fSPeter Avalos#AllowTcpForwarding yes 8718de8d7fSPeter Avalos#GatewayPorts no 8818de8d7fSPeter Avalos#X11Forwarding no 8918de8d7fSPeter Avalos#X11DisplayOffset 10 9018de8d7fSPeter Avalos#X11UseLocalhost yes 9136e94dc5SPeter Avalos#PermitTTY yes 9218de8d7fSPeter Avalos#PrintMotd yes 9318de8d7fSPeter Avalos#PrintLastLog yes 9418de8d7fSPeter Avalos#TCPKeepAlive yes 9518de8d7fSPeter Avalos#UseLogin no 9618de8d7fSPeter Avalos#PermitUserEnvironment no 9718de8d7fSPeter Avalos#Compression delayed 9818de8d7fSPeter Avalos#ClientAliveInterval 0 9918de8d7fSPeter Avalos#ClientAliveCountMax 3 100e9778795SPeter Avalos#UseDNS no 10118de8d7fSPeter Avalos#PidFile /var/run/sshd.pid 10236e94dc5SPeter Avalos#MaxStartups 10:30:100 10318de8d7fSPeter Avalos#PermitTunnel no 10418de8d7fSPeter Avalos#ChrootDirectory none 10599e85e0dSPeter Avalos#VersionAddendum none 10618de8d7fSPeter Avalos 10718de8d7fSPeter Avalos# no default banner path 10818de8d7fSPeter Avalos#Banner none 10918de8d7fSPeter Avalos 11018de8d7fSPeter Avalos# override default of no subsystems 11118de8d7fSPeter AvalosSubsystem sftp /usr/libexec/sftp-server 11218de8d7fSPeter Avalos 11318de8d7fSPeter Avalos# Example of overriding settings on a per-user basis 11418de8d7fSPeter Avalos#Match User anoncvs 11518de8d7fSPeter Avalos# X11Forwarding no 11618de8d7fSPeter Avalos# AllowTcpForwarding no 11736e94dc5SPeter Avalos# PermitTTY no 11818de8d7fSPeter Avalos# ForceCommand cvs server 119