Home | History | Annotate | Line # | Download | only in dist
sshd_config revision 1.1.1.6 
      1  1.1.1.6  christos #	$OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
      2      1.1  christos 
      3      1.1  christos # This is the sshd server system-wide configuration file.  See
      4      1.1  christos # sshd_config(5) for more information.
      5      1.1  christos 
      6      1.1  christos # The strategy used for options in the default sshd_config shipped with
      7      1.1  christos # OpenSSH is to specify options with their default value where
      8  1.1.1.4  christos # possible, but leave them commented.  Uncommented options override the
      9      1.1  christos # default value.
     10      1.1  christos 
     11      1.1  christos #Port 22
     12      1.1  christos #AddressFamily any
     13      1.1  christos #ListenAddress 0.0.0.0
     14      1.1  christos #ListenAddress ::
     15      1.1  christos 
     16  1.1.1.2      adam # The default requires explicit activation of protocol 1
     17  1.1.1.2      adam #Protocol 2
     18      1.1  christos 
     19      1.1  christos # HostKey for protocol version 1
     20      1.1  christos #HostKey /etc/ssh/ssh_host_key
     21      1.1  christos # HostKeys for protocol version 2
     22      1.1  christos #HostKey /etc/ssh/ssh_host_rsa_key
     23      1.1  christos #HostKey /etc/ssh/ssh_host_dsa_key
     24  1.1.1.3  christos #HostKey /etc/ssh/ssh_host_ecdsa_key
     25      1.1  christos 
     26      1.1  christos # Lifetime and size of ephemeral version 1 server key
     27      1.1  christos #KeyRegenerationInterval 1h
     28      1.1  christos #ServerKeyBits 1024
     29      1.1  christos 
     30      1.1  christos # Logging
     31      1.1  christos # obsoletes QuietMode and FascistLogging
     32      1.1  christos #SyslogFacility AUTH
     33      1.1  christos #LogLevel INFO
     34      1.1  christos 
     35      1.1  christos # Authentication:
     36      1.1  christos 
     37      1.1  christos #LoginGraceTime 2m
     38      1.1  christos #PermitRootLogin yes
     39      1.1  christos #StrictModes yes
     40      1.1  christos #MaxAuthTries 6
     41      1.1  christos #MaxSessions 10
     42      1.1  christos 
     43      1.1  christos #RSAAuthentication yes
     44      1.1  christos #PubkeyAuthentication yes
     45  1.1.1.4  christos 
     46  1.1.1.4  christos # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
     47  1.1.1.4  christos # but this is overridden so installations will only check .ssh/authorized_keys
     48  1.1.1.4  christos AuthorizedKeysFile	.ssh/authorized_keys
     49      1.1  christos 
     50  1.1.1.5  christos #AuthorizedPrincipalsFile none
     51  1.1.1.5  christos 
     52  1.1.1.6  christos #AuthorizedKeysCommand none
     53  1.1.1.6  christos #AuthorizedKeysCommandUser nobody
     54  1.1.1.6  christos 
     55      1.1  christos # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
     56      1.1  christos #RhostsRSAAuthentication no
     57      1.1  christos # similar for protocol version 2
     58      1.1  christos #HostbasedAuthentication no
     59      1.1  christos # Change to yes if you don't trust ~/.ssh/known_hosts for
     60      1.1  christos # RhostsRSAAuthentication and HostbasedAuthentication
     61      1.1  christos #IgnoreUserKnownHosts no
     62      1.1  christos # Don't read the user's ~/.rhosts and ~/.shosts files
     63      1.1  christos #IgnoreRhosts yes
     64      1.1  christos 
     65      1.1  christos # To disable tunneled clear text passwords, change to no here!
     66      1.1  christos #PasswordAuthentication yes
     67      1.1  christos #PermitEmptyPasswords no
     68      1.1  christos 
     69      1.1  christos # Change to no to disable s/key passwords
     70      1.1  christos #ChallengeResponseAuthentication yes
     71      1.1  christos 
     72      1.1  christos # Kerberos options
     73      1.1  christos #KerberosAuthentication no
     74      1.1  christos #KerberosOrLocalPasswd yes
     75      1.1  christos #KerberosTicketCleanup yes
     76      1.1  christos #KerberosGetAFSToken no
     77      1.1  christos 
     78      1.1  christos # GSSAPI options
     79      1.1  christos #GSSAPIAuthentication no
     80      1.1  christos #GSSAPICleanupCredentials yes
     81      1.1  christos 
     82      1.1  christos #AllowAgentForwarding yes
     83      1.1  christos #AllowTcpForwarding yes
     84      1.1  christos #GatewayPorts no
     85      1.1  christos #X11Forwarding no
     86      1.1  christos #X11DisplayOffset 10
     87      1.1  christos #X11UseLocalhost yes
     88      1.1  christos #PrintMotd yes
     89      1.1  christos #PrintLastLog yes
     90      1.1  christos #TCPKeepAlive yes
     91      1.1  christos #UseLogin no
     92  1.1.1.5  christos UsePrivilegeSeparation sandbox		# Default for new installations.
     93      1.1  christos #PermitUserEnvironment no
     94      1.1  christos #Compression delayed
     95      1.1  christos #ClientAliveInterval 0
     96      1.1  christos #ClientAliveCountMax 3
     97      1.1  christos #UseDNS yes
     98      1.1  christos #PidFile /var/run/sshd.pid
     99  1.1.1.6  christos #MaxStartups 10:30:100
    100      1.1  christos #PermitTunnel no
    101      1.1  christos #ChrootDirectory none
    102  1.1.1.5  christos #VersionAddendum none
    103      1.1  christos 
    104      1.1  christos # no default banner path
    105      1.1  christos #Banner none
    106      1.1  christos 
    107      1.1  christos # override default of no subsystems
    108      1.1  christos Subsystem	sftp	/usr/libexec/sftp-server
    109      1.1  christos 
    110      1.1  christos # Example of overriding settings on a per-user basis
    111      1.1  christos #Match User anoncvs
    112      1.1  christos #	X11Forwarding no
    113      1.1  christos #	AllowTcpForwarding no
    114      1.1  christos #	ForceCommand cvs server
    115