1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# The strategy used for options in the default sshd_config shipped with 7# OpenSSH is to specify options with their default value where 8# possible, but leave them commented. Uncommented options override the 9# default value. 10 11#Port 22 12#AddressFamily any 13#ListenAddress 0.0.0.0 14#ListenAddress :: 15 16# The default requires explicit activation of protocol 1 17#Protocol 2 18 19# HostKey for protocol version 1 20#HostKey /etc/ssh/ssh_host_key 21# HostKeys for protocol version 2 22#HostKey /etc/ssh/ssh_host_rsa_key 23#HostKey /etc/ssh/ssh_host_dsa_key 24#HostKey /etc/ssh/ssh_host_ecdsa_key 25 26# Lifetime and size of ephemeral version 1 server key 27#KeyRegenerationInterval 1h 28#ServerKeyBits 1024 29 30# Logging 31# obsoletes QuietMode and FascistLogging 32#SyslogFacility AUTH 33#LogLevel INFO 34 35# Authentication: 36 37#LoginGraceTime 2m 38#PermitRootLogin yes 39#StrictModes yes 40#MaxAuthTries 6 41#MaxSessions 10 42 43#RSAAuthentication yes 44#PubkeyAuthentication yes 45 46# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 47# but this is overridden so installations will only check .ssh/authorized_keys 48AuthorizedKeysFile .ssh/authorized_keys 49 50#AuthorizedPrincipalsFile none 51 52#AuthorizedKeysCommand none 53#AuthorizedKeysCommandUser nobody 54 55# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 56#RhostsRSAAuthentication no 57# similar for protocol version 2 58#HostbasedAuthentication no 59# Change to yes if you don't trust ~/.ssh/known_hosts for 60# RhostsRSAAuthentication and HostbasedAuthentication 61#IgnoreUserKnownHosts no 62# Don't read the user's ~/.rhosts and ~/.shosts files 63#IgnoreRhosts yes 64 65# To disable tunneled clear text passwords, change to no here! 66#PasswordAuthentication yes 67#PermitEmptyPasswords no 68 69# Change to no to disable s/key passwords 70#ChallengeResponseAuthentication yes 71 72# Kerberos options 73#KerberosAuthentication no 74#KerberosOrLocalPasswd yes 75#KerberosTicketCleanup yes 76#KerberosGetAFSToken no 77 78# GSSAPI options 79#GSSAPIAuthentication no 80#GSSAPICleanupCredentials yes 81 82#AllowAgentForwarding yes 83#AllowTcpForwarding yes 84#GatewayPorts no 85#X11Forwarding no 86#X11DisplayOffset 10 87#X11UseLocalhost yes 88#PrintMotd yes 89#PrintLastLog yes 90#TCPKeepAlive yes 91#UseLogin no 92UsePrivilegeSeparation sandbox # Default for new installations. 93#PermitUserEnvironment no 94#Compression delayed 95#ClientAliveInterval 0 96#ClientAliveCountMax 3 97#UseDNS yes 98#PidFile /var/run/sshd.pid 99#MaxStartups 10:30:100 100#PermitTunnel no 101#ChrootDirectory none 102#VersionAddendum none 103 104# no default banner path 105#Banner none 106 107# override default of no subsystems 108Subsystem sftp /usr/libexec/sftp-server 109 110# Example of overriding settings on a per-user basis 111#Match User anoncvs 112# X11Forwarding no 113# AllowTcpForwarding no 114# ForceCommand cvs server 115