1# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13# Note that some of DragonFly's defaults differ from OpenBSD's, and 14# DragonFly has a few additional options. 15 16#VersionAddendum DragonFly-20150122 17 18#Port 22 19#AddressFamily any 20#ListenAddress 0.0.0.0 21#ListenAddress :: 22 23# The default requires explicit activation of protocol 1 24#Protocol 2 25 26# HostKey for protocol version 1 27#HostKey /etc/ssh/ssh_host_key 28# HostKeys for protocol version 2 29#HostKey /etc/ssh/ssh_host_rsa_key 30#HostKey /etc/ssh/ssh_host_dsa_key 31#HostKey /etc/ssh/ssh_host_ecdsa_key 32#HostKey /etc/ssh/ssh_host_ed25519_key 33 34# Lifetime and size of ephemeral version 1 server key 35#KeyRegenerationInterval 1h 36#ServerKeyBits 1024 37 38# Ciphers and keying 39#RekeyLimit default none 40 41# Logging 42# obsoletes QuietMode and FascistLogging 43#SyslogFacility AUTH 44#LogLevel INFO 45 46# Authentication: 47 48#LoginGraceTime 2m 49# only allow root logins via public key pair 50PermitRootLogin without-password 51#StrictModes yes 52#MaxAuthTries 6 53#MaxSessions 10 54 55#RSAAuthentication yes 56#PubkeyAuthentication yes 57 58# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 59# but this is overridden so installations will only check .ssh/authorized_keys 60AuthorizedKeysFile .ssh/authorized_keys 61 62#AuthorizedPrincipalsFile none 63 64#AuthorizedKeysCommand none 65#AuthorizedKeysCommandUser nobody 66 67# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 68RhostsRSAAuthentication no 69# similar for protocol version 2 70HostbasedAuthentication no 71# Change to yes if you don't trust ~/.ssh/known_hosts for 72# RhostsRSAAuthentication and HostbasedAuthentication 73#IgnoreUserKnownHosts no 74# Don't read the user's ~/.rhosts and ~/.shosts files 75IgnoreRhosts yes 76 77# To disable tunneled clear text passwords, change to no here! 78# We disable cleartext passwords by default 79PasswordAuthentication no 80#PermitEmptyPasswords no 81 82# Change to no to disable s/key and tunneled clear-text passwords 83# when PAM is enabled. We disable this by default. Note that 84# PAM is also disabled by default. 85ChallengeResponseAuthentication no 86 87# Kerberos options 88#KerberosAuthentication no 89#KerberosOrLocalPasswd yes 90#KerberosTicketCleanup yes 91#KerberosGetAFSToken no 92 93# GSSAPI options 94#GSSAPIAuthentication no 95#GSSAPICleanupCredentials yes 96 97# Set this to 'yes' to enable PAM authentication, account processing, 98# and session processing. If this is enabled, PAM authentication will 99# be allowed through the ChallengeResponseAuthentication and 100# PasswordAuthentication. Depending on your PAM configuration, 101# PAM authentication via ChallengeResponseAuthentication may bypass 102# the setting of "PermitRootLogin without-password". 103# If you just want the PAM account and session checks to run without 104# PAM authentication, then enable this but set PasswordAuthentication 105# and ChallengeResponseAuthentication to 'no'. 106#UsePAM no 107 108#AllowAgentForwarding yes 109#AllowTcpForwarding yes 110#GatewayPorts no 111#X11Forwarding yes 112#X11DisplayOffset 10 113#X11UseLocalhost yes 114#PermitTTY yes 115#PrintMotd yes 116#PrintLastLog yes 117#TCPKeepAlive yes 118#UseLogin no 119UsePrivilegeSeparation sandbox # Default for new installations. 120#PermitUserEnvironment no 121#Compression delayed 122#ClientAliveInterval 0 123#ClientAliveCountMax 3 124#UseDNS yes 125#PidFile /var/run/sshd.pid 126#MaxStartups 10:30:100 127#PermitTunnel no 128#ChrootDirectory none 129 130#XAuthLocation /usr/local/bin/xauth 131 132# no default banner path 133#Banner none 134 135# override default of no subsystems 136Subsystem sftp /usr/libexec/sftp-server 137 138# the following are HPN related configuration options 139# tcp receive buffer polling. disable in non autotuning kernels 140#TcpRcvBufPoll yes 141 142# allow the use of the none cipher 143#NoneEnabled no 144 145# disable hpn performance boosts. 146#HPNDisabled no 147 148# buffer size for hpn to non-hpn connections 149#HPNBufferSize 2048 150 151 152# Example of overriding settings on a per-user basis 153#Match User anoncvs 154# X11Forwarding no 155# AllowTcpForwarding no 156# PermitTTY no 157# ForceCommand cvs server 158