1 # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ 2 3 # This is the sshd server system-wide configuration file. See 4 # sshd_config(5) for more information. 5 6 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8 # The strategy used for options in the default sshd_config shipped with 9 # OpenSSH is to specify options with their default value where 10 # possible, but leave them commented. Uncommented options override the 11 # default value. 12 13 #Port 22 14 #AddressFamily any 15 #ListenAddress 0.0.0.0 16 #ListenAddress :: 17 18 #HostKey /etc/ssh/ssh_host_rsa_key 19 #HostKey /etc/ssh/ssh_host_dsa_key 20 #HostKey /etc/ssh/ssh_host_ecdsa_key 21 #HostKey /etc/ssh/ssh_host_ed25519_key 22 23 # Ciphers and keying 24 #RekeyLimit default none 25 26 # Logging 27 #SyslogFacility AUTH 28 #LogLevel INFO 29 30 # Authentication: 31 32 #LoginGraceTime 2m 33 #PermitRootLogin prohibit-password 34 #StrictModes yes 35 #MaxAuthTries 6 36 #MaxSessions 10 37 38 #PubkeyAuthentication yes 39 40 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 41 # but this is overridden so installations will only check .ssh/authorized_keys 42 AuthorizedKeysFile .ssh/authorized_keys 43 44 #AuthorizedPrincipalsFile none 45 46 #AuthorizedKeysCommand none 47 #AuthorizedKeysCommandUser nobody 48 49 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 50 #HostbasedAuthentication no 51 # Change to yes if you don't trust ~/.ssh/known_hosts for 52 # HostbasedAuthentication 53 #IgnoreUserKnownHosts no 54 # Don't read the user's ~/.rhosts and ~/.shosts files 55 #IgnoreRhosts yes 56 57 # To disable tunneled clear text passwords, change to no here! 58 #PasswordAuthentication yes 59 #PermitEmptyPasswords no 60 61 # Change to no to disable s/key passwords 62 #ChallengeResponseAuthentication yes 63 64 # Kerberos options 65 #KerberosAuthentication no 66 #KerberosOrLocalPasswd yes 67 #KerberosTicketCleanup yes 68 #KerberosGetAFSToken no 69 70 # GSSAPI options 71 #GSSAPIAuthentication no 72 #GSSAPICleanupCredentials yes 73 74 # Set this to 'yes' to enable PAM authentication, account processing, 75 # and session processing. If this is enabled, PAM authentication will 76 # be allowed through the ChallengeResponseAuthentication and 77 # PasswordAuthentication. Depending on your PAM configuration, 78 # PAM authentication via ChallengeResponseAuthentication may bypass 79 # the setting of "PermitRootLogin without-password". 80 # If you just want the PAM account and session checks to run without 81 # PAM authentication, then enable this but set PasswordAuthentication 82 # and ChallengeResponseAuthentication to 'no'. 83 #UsePAM no 84 85 #AllowAgentForwarding yes 86 #AllowTcpForwarding yes 87 #GatewayPorts no 88 #X11Forwarding no 89 #X11DisplayOffset 10 90 #X11UseLocalhost yes 91 #PermitTTY yes 92 #PrintMotd yes 93 #PrintLastLog yes 94 #TCPKeepAlive yes 95 #UseLogin no 96 #PermitUserEnvironment no 97 #Compression delayed 98 #ClientAliveInterval 0 99 #ClientAliveCountMax 3 100 #UseDNS no 101 #PidFile /var/run/sshd.pid 102 #MaxStartups 10:30:100 103 #PermitTunnel no 104 #ChrootDirectory none 105 #VersionAddendum none 106 107 # no default banner path 108 #Banner none 109 110 # override default of no subsystems 111 Subsystem sftp /usr/libexec/sftp-server 112 113 # Example of overriding settings on a per-user basis 114 #Match User anoncvs 115 # X11Forwarding no 116 # AllowTcpForwarding no 117 # PermitTTY no 118 # ForceCommand cvs server 119
