1# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18#HostKey /etc/ssh/ssh_host_rsa_key 19#HostKey /etc/ssh/ssh_host_dsa_key 20#HostKey /etc/ssh/ssh_host_ecdsa_key 21#HostKey /etc/ssh/ssh_host_ed25519_key 22 23# Ciphers and keying 24#RekeyLimit default none 25 26# Logging 27#SyslogFacility AUTH 28#LogLevel INFO 29 30# Authentication: 31 32#LoginGraceTime 2m 33#PermitRootLogin prohibit-password 34#StrictModes yes 35#MaxAuthTries 6 36#MaxSessions 10 37 38#PubkeyAuthentication yes 39 40# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 41# but this is overridden so installations will only check .ssh/authorized_keys 42AuthorizedKeysFile .ssh/authorized_keys 43 44#AuthorizedPrincipalsFile none 45 46#AuthorizedKeysCommand none 47#AuthorizedKeysCommandUser nobody 48 49# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 50#HostbasedAuthentication no 51# Change to yes if you don't trust ~/.ssh/known_hosts for 52# HostbasedAuthentication 53#IgnoreUserKnownHosts no 54# Don't read the user's ~/.rhosts and ~/.shosts files 55#IgnoreRhosts yes 56 57# To disable tunneled clear text passwords, change to no here! 58#PasswordAuthentication yes 59#PermitEmptyPasswords no 60 61# Change to no to disable s/key passwords 62#ChallengeResponseAuthentication yes 63 64# Kerberos options 65#KerberosAuthentication no 66#KerberosOrLocalPasswd yes 67#KerberosTicketCleanup yes 68#KerberosGetAFSToken no 69 70# GSSAPI options 71#GSSAPIAuthentication no 72#GSSAPICleanupCredentials yes 73 74# Set this to 'yes' to enable PAM authentication, account processing, 75# and session processing. If this is enabled, PAM authentication will 76# be allowed through the ChallengeResponseAuthentication and 77# PasswordAuthentication. Depending on your PAM configuration, 78# PAM authentication via ChallengeResponseAuthentication may bypass 79# the setting of "PermitRootLogin without-password". 80# If you just want the PAM account and session checks to run without 81# PAM authentication, then enable this but set PasswordAuthentication 82# and ChallengeResponseAuthentication to 'no'. 83#UsePAM no 84 85#AllowAgentForwarding yes 86#AllowTcpForwarding yes 87#GatewayPorts no 88#X11Forwarding no 89#X11DisplayOffset 10 90#X11UseLocalhost yes 91#PermitTTY yes 92#PrintMotd yes 93#PrintLastLog yes 94#TCPKeepAlive yes 95#UseLogin no 96#PermitUserEnvironment no 97#Compression delayed 98#ClientAliveInterval 0 99#ClientAliveCountMax 3 100#UseDNS no 101#PidFile /var/run/sshd.pid 102#MaxStartups 10:30:100 103#PermitTunnel no 104#ChrootDirectory none 105#VersionAddendum none 106 107# no default banner path 108#Banner none 109 110# override default of no subsystems 111Subsystem sftp /usr/libexec/sftp-server 112 113# Example of overriding settings on a per-user basis 114#Match User anoncvs 115# X11Forwarding no 116# AllowTcpForwarding no 117# PermitTTY no 118# ForceCommand cvs server 119