1# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18# The default requires explicit activation of protocol 1 19#Protocol 2 20 21# HostKey for protocol version 1 22#HostKey /etc/ssh/ssh_host_key 23# HostKeys for protocol version 2 24#HostKey /etc/ssh/ssh_host_rsa_key 25#HostKey /etc/ssh/ssh_host_dsa_key 26#HostKey /etc/ssh/ssh_host_ecdsa_key 27 28# Lifetime and size of ephemeral version 1 server key 29#KeyRegenerationInterval 1h 30#ServerKeyBits 1024 31 32# Logging 33# obsoletes QuietMode and FascistLogging 34#SyslogFacility AUTH 35#LogLevel INFO 36 37# Authentication: 38 39#LoginGraceTime 2m 40#PermitRootLogin yes 41#StrictModes yes 42#MaxAuthTries 6 43#MaxSessions 10 44 45#RSAAuthentication yes 46#PubkeyAuthentication yes 47 48# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 49# but this is overridden so installations will only check .ssh/authorized_keys 50AuthorizedKeysFile .ssh/authorized_keys 51 52# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 53#RhostsRSAAuthentication no 54# similar for protocol version 2 55#HostbasedAuthentication no 56# Change to yes if you don't trust ~/.ssh/known_hosts for 57# RhostsRSAAuthentication and HostbasedAuthentication 58#IgnoreUserKnownHosts no 59# Don't read the user's ~/.rhosts and ~/.shosts files 60#IgnoreRhosts yes 61 62# To disable tunneled clear text passwords, change to no here! 63#PasswordAuthentication yes 64#PermitEmptyPasswords no 65 66# Change to no to disable s/key passwords 67#ChallengeResponseAuthentication yes 68 69# Kerberos options 70#KerberosAuthentication no 71#KerberosOrLocalPasswd yes 72#KerberosTicketCleanup yes 73#KerberosGetAFSToken no 74 75# GSSAPI options 76#GSSAPIAuthentication no 77#GSSAPICleanupCredentials yes 78 79# Set this to 'yes' to enable PAM authentication, account processing, 80# and session processing. If this is enabled, PAM authentication will 81# be allowed through the ChallengeResponseAuthentication and 82# PasswordAuthentication. Depending on your PAM configuration, 83# PAM authentication via ChallengeResponseAuthentication may bypass 84# the setting of "PermitRootLogin without-password". 85# If you just want the PAM account and session checks to run without 86# PAM authentication, then enable this but set PasswordAuthentication 87# and ChallengeResponseAuthentication to 'no'. 88#UsePAM no 89 90#AllowAgentForwarding yes 91#AllowTcpForwarding yes 92#GatewayPorts no 93#X11Forwarding no 94#X11DisplayOffset 10 95#X11UseLocalhost yes 96#PrintMotd yes 97#PrintLastLog yes 98#TCPKeepAlive yes 99#UseLogin no 100#UsePrivilegeSeparation yes 101#PermitUserEnvironment no 102#Compression delayed 103#ClientAliveInterval 0 104#ClientAliveCountMax 3 105#UseDNS yes 106#PidFile /var/run/sshd.pid 107#MaxStartups 10 108#PermitTunnel no 109#ChrootDirectory none 110 111# no default banner path 112#Banner none 113 114# override default of no subsystems 115Subsystem sftp /usr/libexec/sftp-server 116 117# Example of overriding settings on a per-user basis 118#Match User anoncvs 119# X11Forwarding no 120# AllowTcpForwarding no 121# ForceCommand cvs server 122