1# $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18# The default requires explicit activation of protocol 1 19#Protocol 2 20 21# HostKey for protocol version 1 22#HostKey /etc/ssh/ssh_host_key 23# HostKeys for protocol version 2 24#HostKey /etc/ssh/ssh_host_rsa_key 25#HostKey /etc/ssh/ssh_host_dsa_key 26#HostKey /etc/ssh/ssh_host_ecdsa_key 27#HostKey /etc/ssh/ssh_host_ed25519_key 28 29# Lifetime and size of ephemeral version 1 server key 30#KeyRegenerationInterval 1h 31#ServerKeyBits 1024 32 33# Ciphers and keying 34#RekeyLimit default none 35 36# Logging 37#SyslogFacility AUTH 38#LogLevel INFO 39 40# Authentication: 41 42#LoginGraceTime 2m 43#PermitRootLogin prohibit-password 44#StrictModes yes 45#MaxAuthTries 6 46#MaxSessions 10 47 48#RSAAuthentication yes 49#PubkeyAuthentication yes 50 51# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 52# but this is overridden so installations will only check .ssh/authorized_keys 53AuthorizedKeysFile .ssh/authorized_keys 54 55#AuthorizedPrincipalsFile none 56 57#AuthorizedKeysCommand none 58#AuthorizedKeysCommandUser nobody 59 60# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 61#RhostsRSAAuthentication no 62# similar for protocol version 2 63#HostbasedAuthentication no 64# Change to yes if you don't trust ~/.ssh/known_hosts for 65# RhostsRSAAuthentication and HostbasedAuthentication 66#IgnoreUserKnownHosts no 67# Don't read the user's ~/.rhosts and ~/.shosts files 68#IgnoreRhosts yes 69 70# Tunneled clear text passwords are disabled by default in DragonFly. 71# Change to yes to get OpenSSH's default. 72#PasswordAuthentication no 73 74#PermitEmptyPasswords no 75 76# Change to no to disable s/key passwords 77#ChallengeResponseAuthentication yes 78 79# Kerberos options 80#KerberosAuthentication no 81#KerberosOrLocalPasswd yes 82#KerberosTicketCleanup yes 83#KerberosGetAFSToken no 84 85# GSSAPI options 86#GSSAPIAuthentication no 87#GSSAPICleanupCredentials yes 88 89# Set this to 'yes' to enable PAM authentication, account processing, 90# and session processing. If this is enabled, PAM authentication will 91# be allowed through the ChallengeResponseAuthentication and 92# PasswordAuthentication. Depending on your PAM configuration, 93# PAM authentication via ChallengeResponseAuthentication may bypass 94# the setting of "PermitRootLogin without-password". 95# If you just want the PAM account and session checks to run without 96# PAM authentication, then enable this but set PasswordAuthentication 97# and ChallengeResponseAuthentication to 'no'. 98#UsePAM no 99 100#AllowAgentForwarding yes 101#AllowTcpForwarding yes 102#GatewayPorts no 103#X11Forwarding no 104#X11DisplayOffset 10 105#X11UseLocalhost yes 106#PermitTTY yes 107#PrintMotd yes 108#PrintLastLog yes 109#TCPKeepAlive yes 110#UseLogin no 111#UsePrivilegeSeparation sandbox 112#PermitUserEnvironment no 113#Compression delayed 114#ClientAliveInterval 0 115#ClientAliveCountMax 3 116#UseDNS no 117#PidFile /var/run/sshd.pid 118#MaxStartups 10:30:100 119#PermitTunnel no 120#ChrootDirectory none 121 122# DragonFly has different defaults than OpenSSH. 123#VersionAddendum DragonFly-20160813 124 125# no default banner path 126#Banner none 127 128# override default of no subsystems 129Subsystem sftp /usr/libexec/sftp-server 130 131# Example of overriding settings on a per-user basis 132#Match User anoncvs 133# X11Forwarding no 134# AllowTcpForwarding no 135# PermitTTY no 136# ForceCommand cvs server 137