xref: /dragonfly/crypto/openssh/sshd_config (revision ce74baca) 
1ce74bacaSMatthew Dillon#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
218de8d7fSPeter Avalos
318de8d7fSPeter Avalos# This is the sshd server system-wide configuration file.  See
418de8d7fSPeter Avalos# sshd_config(5) for more information.
518de8d7fSPeter Avalos
618de8d7fSPeter Avalos# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
718de8d7fSPeter Avalos
818de8d7fSPeter Avalos# The strategy used for options in the default sshd_config shipped with
918de8d7fSPeter Avalos# OpenSSH is to specify options with their default value where
101c188a7fSPeter Avalos# possible, but leave them commented.  Uncommented options override the
1118de8d7fSPeter Avalos# default value.
1218de8d7fSPeter Avalos
1318de8d7fSPeter Avalos#Port 22
1418de8d7fSPeter Avalos#AddressFamily any
1518de8d7fSPeter Avalos#ListenAddress 0.0.0.0
1618de8d7fSPeter Avalos#ListenAddress ::
1718de8d7fSPeter Avalos
1818de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_rsa_key
1918de8d7fSPeter Avalos#HostKey /etc/ssh/ssh_host_dsa_key
209f304aafSPeter Avalos#HostKey /etc/ssh/ssh_host_ecdsa_key
2136e94dc5SPeter Avalos#HostKey /etc/ssh/ssh_host_ed25519_key
2218de8d7fSPeter Avalos
2336e94dc5SPeter Avalos# Ciphers and keying
2436e94dc5SPeter Avalos#RekeyLimit default none
2536e94dc5SPeter Avalos
2618de8d7fSPeter Avalos# Logging
2718de8d7fSPeter Avalos#SyslogFacility AUTH
2818de8d7fSPeter Avalos#LogLevel INFO
2918de8d7fSPeter Avalos
3018de8d7fSPeter Avalos# Authentication:
3118de8d7fSPeter Avalos
3218de8d7fSPeter Avalos#LoginGraceTime 2m
33e9778795SPeter Avalos#PermitRootLogin prohibit-password
3418de8d7fSPeter Avalos#StrictModes yes
3518de8d7fSPeter Avalos#MaxAuthTries 6
3618de8d7fSPeter Avalos#MaxSessions 10
3718de8d7fSPeter Avalos
3818de8d7fSPeter Avalos#PubkeyAuthentication yes
391c188a7fSPeter Avalos
401c188a7fSPeter Avalos# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
411c188a7fSPeter Avalos# but this is overridden so installations will only check .ssh/authorized_keys
421c188a7fSPeter AvalosAuthorizedKeysFile	.ssh/authorized_keys
4318de8d7fSPeter Avalos
4499e85e0dSPeter Avalos#AuthorizedPrincipalsFile none
4599e85e0dSPeter Avalos
4636e94dc5SPeter Avalos#AuthorizedKeysCommand none
4736e94dc5SPeter Avalos#AuthorizedKeysCommandUser nobody
4836e94dc5SPeter Avalos
4918de8d7fSPeter Avalos# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
5018de8d7fSPeter Avalos#HostbasedAuthentication no
5118de8d7fSPeter Avalos# Change to yes if you don't trust ~/.ssh/known_hosts for
52ce74bacaSMatthew Dillon# HostbasedAuthentication
5318de8d7fSPeter Avalos#IgnoreUserKnownHosts no
5418de8d7fSPeter Avalos# Don't read the user's ~/.rhosts and ~/.shosts files
5518de8d7fSPeter Avalos#IgnoreRhosts yes
5618de8d7fSPeter Avalos
5718de8d7fSPeter Avalos# To disable tunneled clear text passwords, change to no here!
5818de8d7fSPeter Avalos#PasswordAuthentication yes
5918de8d7fSPeter Avalos#PermitEmptyPasswords no
6018de8d7fSPeter Avalos
6118de8d7fSPeter Avalos# Change to no to disable s/key passwords
6218de8d7fSPeter Avalos#ChallengeResponseAuthentication yes
6318de8d7fSPeter Avalos
6418de8d7fSPeter Avalos# Kerberos options
6518de8d7fSPeter Avalos#KerberosAuthentication no
6618de8d7fSPeter Avalos#KerberosOrLocalPasswd yes
6718de8d7fSPeter Avalos#KerberosTicketCleanup yes
6818de8d7fSPeter Avalos#KerberosGetAFSToken no
6918de8d7fSPeter Avalos
7018de8d7fSPeter Avalos# GSSAPI options
7118de8d7fSPeter Avalos#GSSAPIAuthentication no
7218de8d7fSPeter Avalos#GSSAPICleanupCredentials yes
7318de8d7fSPeter Avalos
7418de8d7fSPeter Avalos# Set this to 'yes' to enable PAM authentication, account processing,
7518de8d7fSPeter Avalos# and session processing. If this is enabled, PAM authentication will
7618de8d7fSPeter Avalos# be allowed through the ChallengeResponseAuthentication and
7718de8d7fSPeter Avalos# PasswordAuthentication.  Depending on your PAM configuration,
7818de8d7fSPeter Avalos# PAM authentication via ChallengeResponseAuthentication may bypass
7918de8d7fSPeter Avalos# the setting of "PermitRootLogin without-password".
8018de8d7fSPeter Avalos# If you just want the PAM account and session checks to run without
8118de8d7fSPeter Avalos# PAM authentication, then enable this but set PasswordAuthentication
8218de8d7fSPeter Avalos# and ChallengeResponseAuthentication to 'no'.
8318de8d7fSPeter Avalos#UsePAM no
8418de8d7fSPeter Avalos
8518de8d7fSPeter Avalos#AllowAgentForwarding yes
8618de8d7fSPeter Avalos#AllowTcpForwarding yes
8718de8d7fSPeter Avalos#GatewayPorts no
8818de8d7fSPeter Avalos#X11Forwarding no
8918de8d7fSPeter Avalos#X11DisplayOffset 10
9018de8d7fSPeter Avalos#X11UseLocalhost yes
9136e94dc5SPeter Avalos#PermitTTY yes
9218de8d7fSPeter Avalos#PrintMotd yes
9318de8d7fSPeter Avalos#PrintLastLog yes
9418de8d7fSPeter Avalos#TCPKeepAlive yes
9518de8d7fSPeter Avalos#UseLogin no
9618de8d7fSPeter Avalos#PermitUserEnvironment no
9718de8d7fSPeter Avalos#Compression delayed
9818de8d7fSPeter Avalos#ClientAliveInterval 0
9918de8d7fSPeter Avalos#ClientAliveCountMax 3
100e9778795SPeter Avalos#UseDNS no
10118de8d7fSPeter Avalos#PidFile /var/run/sshd.pid
10236e94dc5SPeter Avalos#MaxStartups 10:30:100
10318de8d7fSPeter Avalos#PermitTunnel no
10418de8d7fSPeter Avalos#ChrootDirectory none
10599e85e0dSPeter Avalos#VersionAddendum none
10618de8d7fSPeter Avalos
10718de8d7fSPeter Avalos# no default banner path
10818de8d7fSPeter Avalos#Banner none
10918de8d7fSPeter Avalos
11018de8d7fSPeter Avalos# override default of no subsystems
11118de8d7fSPeter AvalosSubsystem	sftp	/usr/libexec/sftp-server
11218de8d7fSPeter Avalos
11318de8d7fSPeter Avalos# Example of overriding settings on a per-user basis
11418de8d7fSPeter Avalos#Match User anoncvs
11518de8d7fSPeter Avalos#	X11Forwarding no
11618de8d7fSPeter Avalos#	AllowTcpForwarding no
11736e94dc5SPeter Avalos#	PermitTTY no
11818de8d7fSPeter Avalos#	ForceCommand cvs server
119