1#	$OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented.  Uncommented options change a
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18# Disable legacy (protocol version 1) support in the server for new
19# installations. In future the default will change to require explicit
20# activation of protocol 1
21Protocol 2
22
23# HostKey for protocol version 1
24#HostKey /etc/ssh/ssh_host_key
25# HostKeys for protocol version 2
26#HostKey /etc/ssh/ssh_host_rsa_key
27#HostKey /etc/ssh/ssh_host_dsa_key
28
29# Lifetime and size of ephemeral version 1 server key
30#KeyRegenerationInterval 1h
31#ServerKeyBits 768
32
33# Logging
34# obsoletes QuietMode and FascistLogging
35#SyslogFacility AUTH
36SyslogFacility AUTHPRIV
37#LogLevel INFO
38
39# Authentication:
40
41#LoginGraceTime 2m
42#PermitRootLogin yes
43#StrictModes yes
44#MaxAuthTries 6
45
46#RSAAuthentication yes
47#PubkeyAuthentication yes
48#AuthorizedKeysFile	.ssh/authorized_keys
49
50# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
51#RhostsRSAAuthentication no
52# similar for protocol version 2
53#HostbasedAuthentication no
54# Change to yes if you don't trust ~/.ssh/known_hosts for
55# RhostsRSAAuthentication and HostbasedAuthentication
56#IgnoreUserKnownHosts no
57# Don't read the user's ~/.rhosts and ~/.shosts files
58#IgnoreRhosts yes
59
60# To disable tunneled clear text passwords, change to no here!
61#PasswordAuthentication yes
62#PermitEmptyPasswords no
63PasswordAuthentication yes
64
65# Change to no to disable s/key passwords
66#ChallengeResponseAuthentication yes
67ChallengeResponseAuthentication no
68
69# Kerberos options
70#KerberosAuthentication no
71#KerberosOrLocalPasswd yes
72#KerberosTicketCleanup yes
73#KerberosGetAFSToken no
74
75# GSSAPI options
76#GSSAPIAuthentication no
77GSSAPIAuthentication yes
78#GSSAPICleanupCredentials yes
79GSSAPICleanupCredentials yes
80
81# Set this to 'yes' to enable PAM authentication, account processing,
82# and session processing. If this is enabled, PAM authentication will
83# be allowed through the ChallengeResponseAuthentication and
84# PasswordAuthentication.  Depending on your PAM configuration,
85# PAM authentication via ChallengeResponseAuthentication may bypass
86# the setting of "PermitRootLogin without-password".
87# If you just want the PAM account and session checks to run without
88# PAM authentication, then enable this but set PasswordAuthentication
89# and ChallengeResponseAuthentication to 'no'.
90#UsePAM no
91UsePAM yes
92
93# Accept locale-related environment variables
94AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
95AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
96AcceptEnv LC_IDENTIFICATION LC_ALL
97#AllowTcpForwarding yes
98#GatewayPorts no
99#X11Forwarding no
100X11Forwarding yes
101#X11DisplayOffset 10
102#X11UseLocalhost yes
103#PrintMotd yes
104#PrintLastLog yes
105#TCPKeepAlive yes
106#UseLogin no
107#UsePrivilegeSeparation yes
108#PermitUserEnvironment no
109#Compression delayed
110#ClientAliveInterval 0
111#ClientAliveCountMax 3
112#ShowPatchLevel no
113#UseDNS yes
114#PidFile /var/run/sshd.pid
115#MaxStartups 10
116#PermitTunnel no
117
118# no default banner path
119#Banner /some/path
120
121# override default of no subsystems
122Subsystem	sftp	/usr/libexec/openssh/sftp-server
123
124# Example of overriding settings on a per-user basis
125Match User anoncvs
126      X11Forwarding no
127      AllowTcpForwarding no
128      ForceCommand cvs server
129
130Match Group restricted
131      ForceCommand /usr/local/bin/restricted_group_command
132