xref: /dragonfly/crypto/openssh/sshd_config (revision ce74baca) 
1#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented.  Uncommented options override the
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18#HostKey /etc/ssh/ssh_host_rsa_key
19#HostKey /etc/ssh/ssh_host_dsa_key
20#HostKey /etc/ssh/ssh_host_ecdsa_key
21#HostKey /etc/ssh/ssh_host_ed25519_key
22
23# Ciphers and keying
24#RekeyLimit default none
25
26# Logging
27#SyslogFacility AUTH
28#LogLevel INFO
29
30# Authentication:
31
32#LoginGraceTime 2m
33#PermitRootLogin prohibit-password
34#StrictModes yes
35#MaxAuthTries 6
36#MaxSessions 10
37
38#PubkeyAuthentication yes
39
40# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
41# but this is overridden so installations will only check .ssh/authorized_keys
42AuthorizedKeysFile	.ssh/authorized_keys
43
44#AuthorizedPrincipalsFile none
45
46#AuthorizedKeysCommand none
47#AuthorizedKeysCommandUser nobody
48
49# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50#HostbasedAuthentication no
51# Change to yes if you don't trust ~/.ssh/known_hosts for
52# HostbasedAuthentication
53#IgnoreUserKnownHosts no
54# Don't read the user's ~/.rhosts and ~/.shosts files
55#IgnoreRhosts yes
56
57# To disable tunneled clear text passwords, change to no here!
58#PasswordAuthentication yes
59#PermitEmptyPasswords no
60
61# Change to no to disable s/key passwords
62#ChallengeResponseAuthentication yes
63
64# Kerberos options
65#KerberosAuthentication no
66#KerberosOrLocalPasswd yes
67#KerberosTicketCleanup yes
68#KerberosGetAFSToken no
69
70# GSSAPI options
71#GSSAPIAuthentication no
72#GSSAPICleanupCredentials yes
73
74# Set this to 'yes' to enable PAM authentication, account processing,
75# and session processing. If this is enabled, PAM authentication will
76# be allowed through the ChallengeResponseAuthentication and
77# PasswordAuthentication.  Depending on your PAM configuration,
78# PAM authentication via ChallengeResponseAuthentication may bypass
79# the setting of "PermitRootLogin without-password".
80# If you just want the PAM account and session checks to run without
81# PAM authentication, then enable this but set PasswordAuthentication
82# and ChallengeResponseAuthentication to 'no'.
83#UsePAM no
84
85#AllowAgentForwarding yes
86#AllowTcpForwarding yes
87#GatewayPorts no
88#X11Forwarding no
89#X11DisplayOffset 10
90#X11UseLocalhost yes
91#PermitTTY yes
92#PrintMotd yes
93#PrintLastLog yes
94#TCPKeepAlive yes
95#UseLogin no
96#PermitUserEnvironment no
97#Compression delayed
98#ClientAliveInterval 0
99#ClientAliveCountMax 3
100#UseDNS no
101#PidFile /var/run/sshd.pid
102#MaxStartups 10:30:100
103#PermitTunnel no
104#ChrootDirectory none
105#VersionAddendum none
106
107# no default banner path
108#Banner none
109
110# override default of no subsystems
111Subsystem	sftp	/usr/libexec/sftp-server
112
113# Example of overriding settings on a per-user basis
114#Match User anoncvs
115#	X11Forwarding no
116#	AllowTcpForwarding no
117#	PermitTTY no
118#	ForceCommand cvs server
119