1# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18#HostKey /etc/ssh/ssh_host_rsa_key 19#HostKey /etc/ssh/ssh_host_ecdsa_key 20#HostKey /etc/ssh/ssh_host_ed25519_key 21 22# Ciphers and keying 23#RekeyLimit default none 24 25# Logging 26#SyslogFacility AUTH 27#LogLevel INFO 28 29# Authentication: 30 31#LoginGraceTime 2m 32#PermitRootLogin prohibit-password 33#StrictModes yes 34#MaxAuthTries 6 35#MaxSessions 10 36 37#PubkeyAuthentication yes 38 39# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 40# but this is overridden so installations will only check .ssh/authorized_keys 41AuthorizedKeysFile .ssh/authorized_keys 42 43#AuthorizedPrincipalsFile none 44 45#AuthorizedKeysCommand none 46#AuthorizedKeysCommandUser nobody 47 48# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49#HostbasedAuthentication no 50# Change to yes if you don't trust ~/.ssh/known_hosts for 51# HostbasedAuthentication 52#IgnoreUserKnownHosts no 53# Don't read the user's ~/.rhosts and ~/.shosts files 54#IgnoreRhosts yes 55 56# To disable tunneled clear text passwords, change to no here! 57#PasswordAuthentication yes 58#PermitEmptyPasswords no 59 60# Change to no to disable s/key passwords 61#ChallengeResponseAuthentication yes 62 63# Kerberos options 64#KerberosAuthentication no 65#KerberosOrLocalPasswd yes 66#KerberosTicketCleanup yes 67#KerberosGetAFSToken no 68 69# GSSAPI options 70#GSSAPIAuthentication no 71#GSSAPICleanupCredentials yes 72 73# Set this to 'yes' to enable PAM authentication, account processing, 74# and session processing. If this is enabled, PAM authentication will 75# be allowed through the ChallengeResponseAuthentication and 76# PasswordAuthentication. Depending on your PAM configuration, 77# PAM authentication via ChallengeResponseAuthentication may bypass 78# the setting of "PermitRootLogin without-password". 79# If you just want the PAM account and session checks to run without 80# PAM authentication, then enable this but set PasswordAuthentication 81# and ChallengeResponseAuthentication to 'no'. 82#UsePAM no 83 84#AllowAgentForwarding yes 85#AllowTcpForwarding yes 86#GatewayPorts no 87#X11Forwarding no 88#X11DisplayOffset 10 89#X11UseLocalhost yes 90#PermitTTY yes 91#PrintMotd yes 92#PrintLastLog yes 93#TCPKeepAlive yes 94#PermitUserEnvironment no 95#Compression delayed 96#ClientAliveInterval 0 97#ClientAliveCountMax 3 98#UseDNS no 99#PidFile /var/run/sshd.pid 100#MaxStartups 10:30:100 101#PermitTunnel no 102#ChrootDirectory none 103#VersionAddendum none 104 105# no default banner path 106#Banner none 107 108# override default of no subsystems 109Subsystem sftp /usr/libexec/sftp-server 110 111# Example of overriding settings on a per-user basis 112#Match User anoncvs 113# X11Forwarding no 114# AllowTcpForwarding no 115# PermitTTY no 116# ForceCommand cvs server 117