1# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options change a 11# default value. 12 13# Note that some of DragonFly's defaults differ from OpenBSD's, and 14# DragonFly has a few additional options. 15 16#VersionAddendum DragonFly-20090620 17 18#Port 22 19#AddressFamily any 20#ListenAddress 0.0.0.0 21#ListenAddress :: 22 23# The default requires explicit activation of protocol 1 24#Protocol 2 25 26# HostKey for protocol version 1 27#HostKey /etc/ssh/ssh_host_key 28# HostKeys for protocol version 2 29#HostKey /etc/ssh/ssh_host_rsa_key 30#HostKey /etc/ssh/ssh_host_dsa_key 31 32# Lifetime and size of ephemeral version 1 server key 33#KeyRegenerationInterval 1h 34#ServerKeyBits 1024 35 36# Logging 37# obsoletes QuietMode and FascistLogging 38#SyslogFacility AUTH 39#LogLevel INFO 40 41# Authentication: 42 43#LoginGraceTime 2m 44# only allow root logins via public key pair 45PermitRootLogin without-password 46#StrictModes yes 47#MaxAuthTries 6 48#MaxSessions 10 49 50#RSAAuthentication yes 51#PubkeyAuthentication yes 52#PermitBlacklistedKeys no 53#AuthorizedKeysFile .ssh/authorized_keys 54 55# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 56RhostsRSAAuthentication no 57# similar for protocol version 2 58HostbasedAuthentication no 59# Change to yes if you don't trust ~/.ssh/known_hosts for 60# RhostsRSAAuthentication and HostbasedAuthentication 61#IgnoreUserKnownHosts no 62# Don't read the user's ~/.rhosts and ~/.shosts files 63IgnoreRhosts yes 64 65# To disable tunneled clear text passwords, change to no here! 66# We disable cleartext passwords by default 67PasswordAuthentication no 68#PermitEmptyPasswords no 69 70# Change to no to disable s/key and tunneled clear-text passwords 71# when PAM is enabled. We disable this by default. Note that 72# PAM is also disabled by default. 73ChallengeResponseAuthentication no 74 75# Kerberos options 76#KerberosAuthentication no 77#KerberosOrLocalPasswd yes 78#KerberosTicketCleanup yes 79#KerberosGetAFSToken no 80 81# GSSAPI options 82#GSSAPIAuthentication no 83#GSSAPICleanupCredentials yes 84 85# Set this to 'yes' to enable PAM authentication, account processing, 86# and session processing. If this is enabled, PAM authentication will 87# be allowed through the ChallengeResponseAuthentication and 88# PasswordAuthentication. Depending on your PAM configuration, 89# PAM authentication via ChallengeResponseAuthentication may bypass 90# the setting of "PermitRootLogin without-password". 91# If you just want the PAM account and session checks to run without 92# PAM authentication, then enable this but set PasswordAuthentication 93# and ChallengeResponseAuthentication to 'no'. 94#UsePAM no 95 96#AllowAgentForwarding yes 97#AllowTcpForwarding yes 98#GatewayPorts no 99#X11Forwarding yes 100#X11DisplayOffset 10 101#X11UseLocalhost yes 102#PrintMotd yes 103#PrintLastLog yes 104#TCPKeepAlive yes 105#UseLogin no 106#UsePrivilegeSeparation yes 107#PermitUserEnvironment no 108#Compression delayed 109#ClientAliveInterval 0 110#ClientAliveCountMax 3 111#UseDNS yes 112#PidFile /var/run/sshd.pid 113#MaxStartups 10 114#PermitTunnel no 115#ChrootDirectory none 116 117#XAuthLocation /usr/pkg/bin/xauth 118 119# no default banner path 120#Banner none 121 122# override default of no subsystems 123Subsystem sftp /usr/libexec/sftp-server 124 125# the following are HPN related configuration options 126# tcp receive buffer polling. disable in non autotuning kernels 127#TcpRcvBufPoll yes 128 129# allow the use of the none cipher 130#NoneEnabled no 131 132# disable hpn performance boosts. 133#HPNDisabled no 134 135# buffer size for hpn to non-hpn connections 136#HPNBufferSize 2048 137 138 139# Example of overriding settings on a per-user basis 140#Match User anoncvs 141# X11Forwarding no 142# AllowTcpForwarding no 143# ForceCommand cvs server 144