1# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18# The default requires explicit activation of protocol 1 19Protocol 2 20 21# HostKey for protocol version 1 22#HostKey /etc/ssh/ssh_host_key 23# HostKeys for protocol version 2 24HostKey /data/ssh/ssh_host_rsa_key 25HostKey /data/ssh/ssh_host_dsa_key 26 27# Lifetime and size of ephemeral version 1 server key 28#KeyRegenerationInterval 1h 29#ServerKeyBits 1024 30 31# Logging 32# obsoletes QuietMode and FascistLogging 33#SyslogFacility AUTH 34#LogLevel INFO 35 36# Authentication: 37 38#LoginGraceTime 2m 39#PermitRootLogin yes 40#StrictModes yes 41#MaxAuthTries 6 42#MaxSessions 10 43 44#RSAAuthentication yes 45#PubkeyAuthentication yes 46 47# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 48# but this is overridden so installations will only check .ssh/authorized_keys 49AuthorizedKeysFile /data/ssh/authorized_keys 50 51# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 52#RhostsRSAAuthentication no 53# similar for protocol version 2 54#HostbasedAuthentication no 55# Change to yes if you don't trust ~/.ssh/known_hosts for 56# RhostsRSAAuthentication and HostbasedAuthentication 57#IgnoreUserKnownHosts no 58# Don't read the user's ~/.rhosts and ~/.shosts files 59#IgnoreRhosts yes 60 61# To disable tunneled clear text passwords, change to no here! 62PasswordAuthentication no 63#PermitEmptyPasswords no 64 65# Change to no to disable s/key passwords 66#ChallengeResponseAuthentication yes 67 68# Kerberos options 69#KerberosAuthentication no 70#KerberosOrLocalPasswd yes 71#KerberosTicketCleanup yes 72#KerberosGetAFSToken no 73 74# GSSAPI options 75#GSSAPIAuthentication no 76#GSSAPICleanupCredentials yes 77 78# Set this to 'yes' to enable PAM authentication, account processing, 79# and session processing. If this is enabled, PAM authentication will 80# be allowed through the ChallengeResponseAuthentication and 81# PasswordAuthentication. Depending on your PAM configuration, 82# PAM authentication via ChallengeResponseAuthentication may bypass 83# the setting of "PermitRootLogin without-password". 84# If you just want the PAM account and session checks to run without 85# PAM authentication, then enable this but set PasswordAuthentication 86# and ChallengeResponseAuthentication to 'no'. 87#UsePAM no 88 89#AllowAgentForwarding yes 90#AllowTcpForwarding yes 91#GatewayPorts no 92#X11Forwarding no 93#X11DisplayOffset 10 94#X11UseLocalhost yes 95#PrintMotd yes 96#PrintLastLog yes 97#TCPKeepAlive yes 98#UseLogin no 99#UsePrivilegeSeparation yes 100#PermitUserEnvironment no 101#Compression delayed 102#ClientAliveInterval 0 103#ClientAliveCountMax 3 104#UseDNS yes 105#PidFile /var/run/sshd.pid 106#MaxStartups 10 107#PermitTunnel no 108#ChrootDirectory none 109 110# no default banner path 111#Banner none 112 113# override default of no subsystems 114Subsystem sftp /usr/libexec/sftp-server 115 116# Example of overriding settings on a per-user basis 117#Match User anoncvs 118# X11Forwarding no 119# AllowTcpForwarding no 120# ForceCommand cvs server 121