1 # $NetBSD: sshd_config,v 1.29 2025/04/09 15:49:33 christos Exp $ 2 # $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $ 3 4 # This is the sshd server system-wide configuration file. See 5 # sshd_config(5) for more information. 6 7 # The strategy used for options in the default sshd_config shipped with 8 # OpenSSH is to specify options with their default value where 9 # possible, but leave them commented. Uncommented options override the 10 # default value. 11 12 #Port 22 13 #AddressFamily any 14 #ListenAddress 0.0.0.0 15 #ListenAddress :: 16 17 #HostKey /etc/ssh/ssh_host_rsa_key 18 #HostKey /etc/ssh/ssh_host_ecdsa_key 19 #HostKey /etc/ssh/ssh_host_ed25519_key 20 21 # Ciphers and keying 22 #RekeyLimit default none 23 24 # Logging 25 #SyslogFacility AUTH 26 #LogLevel INFO 27 28 # Authentication: 29 30 # For slow CPUs, bumped from 2 minutes to 10 31 LoginGraceTime 600 32 #PermitRootLogin prohibit-password 33 #StrictModes yes 34 #MaxAuthTries 6 35 #MaxSessions 10 36 37 #PubkeyAuthentication yes 38 39 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 40 # but this is overridden so installations will only check .ssh/authorized_keys 41 AuthorizedKeysFile .ssh/authorized_keys 42 43 #AuthorizedPrincipalsFile none 44 45 #AuthorizedKeysCommand none 46 #AuthorizedKeysCommandUser nobody 47 48 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49 #HostbasedAuthentication no 50 # Change to yes if you don't trust ~/.ssh/known_hosts for 51 # HostbasedAuthentication 52 #IgnoreUserKnownHosts no 53 # Don't read the user's ~/.rhosts and ~/.shosts files 54 #IgnoreRhosts yes 55 56 # To disable tunneled clear text passwords, change to "no" here! 57 #PasswordAuthentication yes 58 #PermitEmptyPasswords no 59 60 # Change to "no" to disable keyboard-interactive authentication. Depending on 61 # the system's configuration, this may involve passwords, challenge-response, 62 # one-time passwords or some combination of these and other methods. 63 #KbdInteractiveAuthentication yes 64 65 # Kerberos options 66 #KerberosAuthentication no 67 #KerberosOrLocalPasswd yes 68 #KerberosTicketCleanup yes 69 #KerberosGetAFSToken no 70 71 # GSSAPI options 72 #GSSAPIAuthentication no 73 #GSSAPICleanupCredentials yes 74 75 # Set this to 'yes' to enable PAM authentication, account processing, 76 # and session processing. If this is enabled, PAM authentication will 77 # be allowed through the KbdInteractiveAuthentication and 78 # PasswordAuthentication settings. Depending on your PAM configuration, 79 # PAM authentication via KbdInteractiveAuthentication may bypass 80 # the setting of "PermitRootLogin without-password". 81 # If you just want the PAM account and session checks to run without 82 # PAM authentication, then enable this but set PasswordAuthentication 83 # and KbdInteractiveAuthentication to 'no'. 84 UsePAM yes 85 86 #AllowAgentForwarding yes 87 #AllowTcpForwarding yes 88 #GatewayPorts no 89 #X11Forwarding no 90 # If you use xorg from pkgsrc then uncomment the following line. 91 #XAuthLocation /usr/pkg/bin/xauth 92 #X11DisplayOffset 10 93 #X11UseLocalhost yes 94 #PermitTTY yes 95 #PrintMotd yes 96 #PrintLastLog yes 97 #TCPKeepAlive yes 98 #PermitUserEnvironment no 99 #Compression delayed 100 #ClientAliveInterval 0 101 #ClientAliveCountMax 3 102 #UseDNS no 103 #PidFile /var/run/sshd.pid 104 #MaxStartups 10:30:100 105 #PermitTunnel no 106 #ChrootDirectory none 107 #VersionAddendum none 108 109 # no default banner path 110 #Banner none 111 112 # here are the new patched ldap related tokens 113 # entries in your LDAP must have posixAccount & ldapPublicKey objectclass 114 #UseLPK yes 115 #LpkLdapConf /etc/ldap.conf 116 #LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ 117 #LpkUserDN ou=users,dc=phear,dc=org 118 #LpkGroupDN ou=groups,dc=phear,dc=org 119 #LpkBindDN cn=Manager,dc=phear,dc=org 120 #LpkBindPw secret 121 #LpkServerGroup mail 122 #LpkFilter (hostAccess=master.phear.org) 123 #LpkForceTLS no 124 #LpkSearchTimelimit 3 125 #LpkBindTimelimit 3 126 #LpkPubKeyAttr sshPublicKey 127 128 # override default of no subsystems 129 Subsystem sftp /usr/libexec/sftp-server 130 131 # the following are HPN related configuration options 132 # tcp receive buffer polling. disable in non autotuning kernels 133 #TcpRcvBufPoll yes 134 135 # allow the use of the none cipher 136 #NoneEnabled no 137 138 # disable hpn performance boosts. 139 HPNDisabled yes 140 141 # buffer size for hpn to non-hpn connections 142 #HPNBufferSize 2048 143 144 # Example of overriding settings on a per-user basis 145 #Match User anoncvs 146 # X11Forwarding no 147 # AllowTcpForwarding no 148 # PermitTTY no 149 # ForceCommand cvs server 150
Indexes created Tue Mar 03 05:31:39 UTC 2026