xref: /openbsd/usr.bin/ssh/sshd_config (revision ed4ad9c0) 
1#	$OpenBSD: sshd_config,v 1.88 2012/10/30 21:29:55 djm Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# The strategy used for options in the default sshd_config shipped with
7# OpenSSH is to specify options with their default value where
8# possible, but leave them commented.  Uncommented options override the
9# default value.
10
11#Port 22
12#AddressFamily any
13#ListenAddress 0.0.0.0
14#ListenAddress ::
15
16# The default requires explicit activation of protocol 1
17#Protocol 2
18
19# HostKey for protocol version 1
20#HostKey /etc/ssh/ssh_host_key
21# HostKeys for protocol version 2
22#HostKey /etc/ssh/ssh_host_rsa_key
23#HostKey /etc/ssh/ssh_host_dsa_key
24#HostKey /etc/ssh/ssh_host_ecdsa_key
25
26# Lifetime and size of ephemeral version 1 server key
27#KeyRegenerationInterval 1h
28#ServerKeyBits 1024
29
30# Logging
31# obsoletes QuietMode and FascistLogging
32#SyslogFacility AUTH
33#LogLevel INFO
34
35# Authentication:
36
37#LoginGraceTime 2m
38#PermitRootLogin yes
39#StrictModes yes
40#MaxAuthTries 6
41#MaxSessions 10
42
43#RSAAuthentication yes
44#PubkeyAuthentication yes
45
46# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
47# but this is overridden so installations will only check .ssh/authorized_keys
48AuthorizedKeysFile	.ssh/authorized_keys
49
50#AuthorizedPrincipalsFile none
51
52#AuthorizedKeysCommand none
53#AuthorizedKeysCommandUser nobody
54
55# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
56#RhostsRSAAuthentication no
57# similar for protocol version 2
58#HostbasedAuthentication no
59# Change to yes if you don't trust ~/.ssh/known_hosts for
60# RhostsRSAAuthentication and HostbasedAuthentication
61#IgnoreUserKnownHosts no
62# Don't read the user's ~/.rhosts and ~/.shosts files
63#IgnoreRhosts yes
64
65# To disable tunneled clear text passwords, change to no here!
66#PasswordAuthentication yes
67#PermitEmptyPasswords no
68
69# Change to no to disable s/key passwords
70#ChallengeResponseAuthentication yes
71
72# Kerberos options
73#KerberosAuthentication no
74#KerberosOrLocalPasswd yes
75#KerberosTicketCleanup yes
76#KerberosGetAFSToken no
77
78# GSSAPI options
79#GSSAPIAuthentication no
80#GSSAPICleanupCredentials yes
81
82#AllowAgentForwarding yes
83#AllowTcpForwarding yes
84#GatewayPorts no
85#X11Forwarding no
86#X11DisplayOffset 10
87#X11UseLocalhost yes
88#PrintMotd yes
89#PrintLastLog yes
90#TCPKeepAlive yes
91#UseLogin no
92UsePrivilegeSeparation sandbox		# Default for new installations.
93#PermitUserEnvironment no
94#Compression delayed
95#ClientAliveInterval 0
96#ClientAliveCountMax 3
97#UseDNS yes
98#PidFile /var/run/sshd.pid
99#MaxStartups 10
100#PermitTunnel no
101#ChrootDirectory none
102#VersionAddendum none
103
104# no default banner path
105#Banner none
106
107# override default of no subsystems
108Subsystem	sftp	/usr/libexec/sftp-server
109
110# Example of overriding settings on a per-user basis
111#Match User anoncvs
112#	X11Forwarding no
113#	AllowTcpForwarding no
114#	ForceCommand cvs server
115