xref: /openbsd/usr.bin/ssh/sshd_config (revision 53eed79d) 
1#	$OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# The strategy used for options in the default sshd_config shipped with
7# OpenSSH is to specify options with their default value where
8# possible, but leave them commented.  Uncommented options override the
9# default value.
10
11#Port 22
12#AddressFamily any
13#ListenAddress 0.0.0.0
14#ListenAddress ::
15
16# The default requires explicit activation of protocol 1
17#Protocol 2
18
19# HostKey for protocol version 1
20#HostKey /etc/ssh/ssh_host_key
21# HostKeys for protocol version 2
22#HostKey /etc/ssh/ssh_host_rsa_key
23#HostKey /etc/ssh/ssh_host_dsa_key
24#HostKey /etc/ssh/ssh_host_ecdsa_key
25
26# Lifetime and size of ephemeral version 1 server key
27#KeyRegenerationInterval 1h
28#ServerKeyBits 1024
29
30# Ciphers and keying
31#RekeyLimit default none
32
33# Logging
34# obsoletes QuietMode and FascistLogging
35#SyslogFacility AUTH
36#LogLevel INFO
37
38# Authentication:
39
40#LoginGraceTime 2m
41#PermitRootLogin yes
42#StrictModes yes
43#MaxAuthTries 6
44#MaxSessions 10
45
46#RSAAuthentication yes
47#PubkeyAuthentication yes
48
49# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
50# but this is overridden so installations will only check .ssh/authorized_keys
51AuthorizedKeysFile	.ssh/authorized_keys
52
53#AuthorizedPrincipalsFile none
54
55#AuthorizedKeysCommand none
56#AuthorizedKeysCommandUser nobody
57
58# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
59#RhostsRSAAuthentication no
60# similar for protocol version 2
61#HostbasedAuthentication no
62# Change to yes if you don't trust ~/.ssh/known_hosts for
63# RhostsRSAAuthentication and HostbasedAuthentication
64#IgnoreUserKnownHosts no
65# Don't read the user's ~/.rhosts and ~/.shosts files
66#IgnoreRhosts yes
67
68# To disable tunneled clear text passwords, change to no here!
69#PasswordAuthentication yes
70#PermitEmptyPasswords no
71
72# Change to no to disable s/key passwords
73#ChallengeResponseAuthentication yes
74
75# Kerberos options
76#KerberosAuthentication no
77#KerberosOrLocalPasswd yes
78#KerberosTicketCleanup yes
79#KerberosGetAFSToken no
80
81# GSSAPI options
82#GSSAPIAuthentication no
83#GSSAPICleanupCredentials yes
84
85#AllowAgentForwarding yes
86#AllowTcpForwarding yes
87#GatewayPorts no
88#X11Forwarding no
89#X11DisplayOffset 10
90#X11UseLocalhost yes
91#PrintMotd yes
92#PrintLastLog yes
93#TCPKeepAlive yes
94#UseLogin no
95UsePrivilegeSeparation sandbox		# Default for new installations.
96#PermitUserEnvironment no
97#Compression delayed
98#ClientAliveInterval 0
99#ClientAliveCountMax 3
100#UseDNS yes
101#PidFile /var/run/sshd.pid
102#MaxStartups 10:30:100
103#PermitTunnel no
104#ChrootDirectory none
105#VersionAddendum none
106
107# no default banner path
108#Banner none
109
110# override default of no subsystems
111Subsystem	sftp	/usr/libexec/sftp-server
112
113# Example of overriding settings on a per-user basis
114#Match User anoncvs
115#	X11Forwarding no
116#	AllowTcpForwarding no
117#	ForceCommand cvs server
118