1# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13# Note that some of DragonFly's defaults differ from OpenBSD's, and 14# DragonFly has a few additional options. 15 16#VersionAddendum DragonFly-20110920 17 18#Port 22 19#AddressFamily any 20#ListenAddress 0.0.0.0 21#ListenAddress :: 22 23# The default requires explicit activation of protocol 1 24#Protocol 2 25 26# HostKey for protocol version 1 27#HostKey /etc/ssh/ssh_host_key 28# HostKeys for protocol version 2 29#HostKey /etc/ssh/ssh_host_rsa_key 30#HostKey /etc/ssh/ssh_host_dsa_key 31#HostKey /etc/ssh/ssh_host_ecdsa_key 32 33# Lifetime and size of ephemeral version 1 server key 34#KeyRegenerationInterval 1h 35#ServerKeyBits 1024 36 37# Logging 38# obsoletes QuietMode and FascistLogging 39#SyslogFacility AUTH 40#LogLevel INFO 41 42# Authentication: 43 44#LoginGraceTime 2m 45# only allow root logins via public key pair 46PermitRootLogin without-password 47#StrictModes yes 48#MaxAuthTries 6 49#MaxSessions 10 50 51#RSAAuthentication yes 52#PubkeyAuthentication yes 53#PermitBlacklistedKeys no 54 55# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 56# but this is overridden so installations will only check .ssh/authorized_keys 57AuthorizedKeysFile .ssh/authorized_keys 58 59# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 60RhostsRSAAuthentication no 61# similar for protocol version 2 62HostbasedAuthentication no 63# Change to yes if you don't trust ~/.ssh/known_hosts for 64# RhostsRSAAuthentication and HostbasedAuthentication 65#IgnoreUserKnownHosts no 66# Don't read the user's ~/.rhosts and ~/.shosts files 67IgnoreRhosts yes 68 69# To disable tunneled clear text passwords, change to no here! 70# We disable cleartext passwords by default 71PasswordAuthentication no 72#PermitEmptyPasswords no 73 74# Change to no to disable s/key and tunneled clear-text passwords 75# when PAM is enabled. We disable this by default. Note that 76# PAM is also disabled by default. 77ChallengeResponseAuthentication no 78 79# Kerberos options 80#KerberosAuthentication no 81#KerberosOrLocalPasswd yes 82#KerberosTicketCleanup yes 83#KerberosGetAFSToken no 84 85# GSSAPI options 86#GSSAPIAuthentication no 87#GSSAPICleanupCredentials yes 88 89# Set this to 'yes' to enable PAM authentication, account processing, 90# and session processing. If this is enabled, PAM authentication will 91# be allowed through the ChallengeResponseAuthentication and 92# PasswordAuthentication. Depending on your PAM configuration, 93# PAM authentication via ChallengeResponseAuthentication may bypass 94# the setting of "PermitRootLogin without-password". 95# If you just want the PAM account and session checks to run without 96# PAM authentication, then enable this but set PasswordAuthentication 97# and ChallengeResponseAuthentication to 'no'. 98#UsePAM no 99 100#AllowAgentForwarding yes 101#AllowTcpForwarding yes 102#GatewayPorts no 103#X11Forwarding yes 104#X11DisplayOffset 10 105#X11UseLocalhost yes 106#PrintMotd yes 107#PrintLastLog yes 108#TCPKeepAlive yes 109#UseLogin no 110#UsePrivilegeSeparation yes 111#PermitUserEnvironment no 112#Compression delayed 113#ClientAliveInterval 0 114#ClientAliveCountMax 3 115#UseDNS yes 116#PidFile /var/run/sshd.pid 117#MaxStartups 10 118#PermitTunnel no 119#ChrootDirectory none 120 121#XAuthLocation /usr/pkg/bin/xauth 122 123# no default banner path 124#Banner none 125 126# override default of no subsystems 127Subsystem sftp /usr/libexec/sftp-server 128 129# the following are HPN related configuration options 130# tcp receive buffer polling. disable in non autotuning kernels 131#TcpRcvBufPoll yes 132 133# allow the use of the none cipher 134#NoneEnabled no 135 136# disable hpn performance boosts. 137#HPNDisabled no 138 139# buffer size for hpn to non-hpn connections 140#HPNBufferSize 2048 141 142 143# Example of overriding settings on a per-user basis 144#Match User anoncvs 145# X11Forwarding no 146# AllowTcpForwarding no 147# ForceCommand cvs server 148