1# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13# Note that some of DragonFly's defaults differ from OpenBSD's, and 14# DragonFly has a few additional options. 15 16#VersionAddendum DragonFly-20121028 17 18#Port 22 19#AddressFamily any 20#ListenAddress 0.0.0.0 21#ListenAddress :: 22 23# The default requires explicit activation of protocol 1 24#Protocol 2 25 26# HostKey for protocol version 1 27#HostKey /etc/ssh/ssh_host_key 28# HostKeys for protocol version 2 29#HostKey /etc/ssh/ssh_host_rsa_key 30#HostKey /etc/ssh/ssh_host_dsa_key 31#HostKey /etc/ssh/ssh_host_ecdsa_key 32 33# Lifetime and size of ephemeral version 1 server key 34#KeyRegenerationInterval 1h 35#ServerKeyBits 1024 36 37# Logging 38# obsoletes QuietMode and FascistLogging 39#SyslogFacility AUTH 40#LogLevel INFO 41 42# Authentication: 43 44#LoginGraceTime 2m 45# only allow root logins via public key pair 46PermitRootLogin without-password 47#StrictModes yes 48#MaxAuthTries 6 49#MaxSessions 10 50 51#RSAAuthentication yes 52#PubkeyAuthentication yes 53#PermitBlacklistedKeys no 54 55# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 56# but this is overridden so installations will only check .ssh/authorized_keys 57AuthorizedKeysFile .ssh/authorized_keys 58 59#AuthorizedPrincipalsFile none 60 61# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 62RhostsRSAAuthentication no 63# similar for protocol version 2 64HostbasedAuthentication no 65# Change to yes if you don't trust ~/.ssh/known_hosts for 66# RhostsRSAAuthentication and HostbasedAuthentication 67#IgnoreUserKnownHosts no 68# Don't read the user's ~/.rhosts and ~/.shosts files 69IgnoreRhosts yes 70 71# To disable tunneled clear text passwords, change to no here! 72# We disable cleartext passwords by default 73PasswordAuthentication no 74#PermitEmptyPasswords no 75 76# Change to no to disable s/key and tunneled clear-text passwords 77# when PAM is enabled. We disable this by default. Note that 78# PAM is also disabled by default. 79ChallengeResponseAuthentication no 80 81# Kerberos options 82#KerberosAuthentication no 83#KerberosOrLocalPasswd yes 84#KerberosTicketCleanup yes 85#KerberosGetAFSToken no 86 87# GSSAPI options 88#GSSAPIAuthentication no 89#GSSAPICleanupCredentials yes 90 91# Set this to 'yes' to enable PAM authentication, account processing, 92# and session processing. If this is enabled, PAM authentication will 93# be allowed through the ChallengeResponseAuthentication and 94# PasswordAuthentication. Depending on your PAM configuration, 95# PAM authentication via ChallengeResponseAuthentication may bypass 96# the setting of "PermitRootLogin without-password". 97# If you just want the PAM account and session checks to run without 98# PAM authentication, then enable this but set PasswordAuthentication 99# and ChallengeResponseAuthentication to 'no'. 100#UsePAM no 101 102#AllowAgentForwarding yes 103#AllowTcpForwarding yes 104#GatewayPorts no 105#X11Forwarding yes 106#X11DisplayOffset 10 107#X11UseLocalhost yes 108#PrintMotd yes 109#PrintLastLog yes 110#TCPKeepAlive yes 111#UseLogin no 112UsePrivilegeSeparation sandbox # Default for new installations. 113#PermitUserEnvironment no 114#Compression delayed 115#ClientAliveInterval 0 116#ClientAliveCountMax 3 117#UseDNS yes 118#PidFile /var/run/sshd.pid 119#MaxStartups 10 120#PermitTunnel no 121#ChrootDirectory none 122 123#XAuthLocation /usr/local/bin/xauth 124 125# no default banner path 126#Banner none 127 128# override default of no subsystems 129Subsystem sftp /usr/libexec/sftp-server 130 131# the following are HPN related configuration options 132# tcp receive buffer polling. disable in non autotuning kernels 133#TcpRcvBufPoll yes 134 135# allow the use of the none cipher 136#NoneEnabled no 137 138# disable hpn performance boosts. 139#HPNDisabled no 140 141# buffer size for hpn to non-hpn connections 142#HPNBufferSize 2048 143 144 145# Example of overriding settings on a per-user basis 146#Match User anoncvs 147# X11Forwarding no 148# AllowTcpForwarding no 149# ForceCommand cvs server 150