1# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options change a 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18# Disable legacy (protocol version 1) support in the server for new 19# installations. In future the default will change to require explicit 20# activation of protocol 1 21Protocol 2 22 23# HostKey for protocol version 1 24#HostKey /etc/ssh/ssh_host_key 25# HostKeys for protocol version 2 26#HostKey /etc/ssh/ssh_host_rsa_key 27#HostKey /etc/ssh/ssh_host_dsa_key 28 29# Lifetime and size of ephemeral version 1 server key 30#KeyRegenerationInterval 1h 31#ServerKeyBits 768 32 33# Logging 34# obsoletes QuietMode and FascistLogging 35#SyslogFacility AUTH 36SyslogFacility AUTHPRIV 37#LogLevel INFO 38 39# Authentication: 40 41#LoginGraceTime 2m 42#PermitRootLogin yes 43#StrictModes yes 44#MaxAuthTries 6 45 46#RSAAuthentication yes 47#PubkeyAuthentication yes 48#AuthorizedKeysFile .ssh/authorized_keys 49 50# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 51#RhostsRSAAuthentication no 52# similar for protocol version 2 53#HostbasedAuthentication no 54# Change to yes if you don't trust ~/.ssh/known_hosts for 55# RhostsRSAAuthentication and HostbasedAuthentication 56#IgnoreUserKnownHosts no 57# Don't read the user's ~/.rhosts and ~/.shosts files 58#IgnoreRhosts yes 59 60# To disable tunneled clear text passwords, change to no here! 61#PasswordAuthentication yes 62#PermitEmptyPasswords no 63PasswordAuthentication yes 64 65# Change to no to disable s/key passwords 66#ChallengeResponseAuthentication yes 67ChallengeResponseAuthentication no 68 69# Kerberos options 70#KerberosAuthentication no 71#KerberosOrLocalPasswd yes 72#KerberosTicketCleanup yes 73#KerberosGetAFSToken no 74 75# GSSAPI options 76#GSSAPIAuthentication no 77GSSAPIAuthentication yes 78#GSSAPICleanupCredentials yes 79GSSAPICleanupCredentials yes 80 81# Set this to 'yes' to enable PAM authentication, account processing, 82# and session processing. If this is enabled, PAM authentication will 83# be allowed through the ChallengeResponseAuthentication and 84# PasswordAuthentication. Depending on your PAM configuration, 85# PAM authentication via ChallengeResponseAuthentication may bypass 86# the setting of "PermitRootLogin without-password". 87# If you just want the PAM account and session checks to run without 88# PAM authentication, then enable this but set PasswordAuthentication 89# and ChallengeResponseAuthentication to 'no'. 90#UsePAM no 91UsePAM yes 92 93# Accept locale-related environment variables 94AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 95AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 96AcceptEnv LC_IDENTIFICATION LC_ALL 97#AllowTcpForwarding yes 98#GatewayPorts no 99#X11Forwarding no 100X11Forwarding yes 101#X11DisplayOffset 10 102#X11UseLocalhost yes 103#PrintMotd yes 104#PrintLastLog yes 105#TCPKeepAlive yes 106#UseLogin no 107#UsePrivilegeSeparation yes 108#PermitUserEnvironment no 109#Compression delayed 110#ClientAliveInterval 0 111#ClientAliveCountMax 3 112#ShowPatchLevel no 113#UseDNS yes 114#PidFile /var/run/sshd.pid 115#MaxStartups 10 116#PermitTunnel no 117 118# no default banner path 119#Banner /some/path 120 121# override default of no subsystems 122Subsystem sftp /usr/libexec/openssh/sftp-server 123 124# Example of overriding settings on a per-user basis 125Match User anoncvs 126 X11Forwarding no 127 AllowTcpForwarding no 128 ForceCommand cvs server 129 130Match Group restricted 131 ForceCommand /usr/local/bin/restricted_group_command 132