Home | History | Annotate | Line # | Download | only in dist
sshd_config revision 1.28 
      1  1.28       nia #	$NetBSD: sshd_config,v 1.28 2022/05/09 15:06:29 nia Exp $
      2  1.26  christos #	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
      3   1.1  christos 
      4   1.1  christos # This is the sshd server system-wide configuration file.  See
      5   1.1  christos # sshd_config(5) for more information.
      6   1.1  christos 
      7   1.1  christos # The strategy used for options in the default sshd_config shipped with
      8   1.1  christos # OpenSSH is to specify options with their default value where
      9   1.8  christos # possible, but leave them commented.  Uncommented options override the
     10   1.1  christos # default value.
     11   1.1  christos 
     12   1.1  christos #Port 22
     13   1.1  christos #AddressFamily any
     14   1.1  christos #ListenAddress 0.0.0.0
     15   1.1  christos #ListenAddress ::
     16   1.1  christos 
     17   1.1  christos #HostKey /etc/ssh/ssh_host_rsa_key
     18   1.7  christos #HostKey /etc/ssh/ssh_host_ecdsa_key
     19  1.12  christos #HostKey /etc/ssh/ssh_host_ed25519_key
     20   1.1  christos 
     21  1.11  christos # Ciphers and keying
     22  1.11  christos #RekeyLimit default none
     23  1.11  christos 
     24   1.1  christos # Logging
     25   1.1  christos #SyslogFacility AUTH
     26   1.1  christos #LogLevel INFO
     27   1.1  christos 
     28   1.1  christos # Authentication:
     29   1.1  christos 
     30  1.19  christos # For slow CPUs, bumped from 2 minutes to 10
     31  1.19  christos LoginGraceTime 600
     32  1.15  christos #PermitRootLogin prohibit-password
     33   1.1  christos #StrictModes yes
     34   1.1  christos #MaxAuthTries 6
     35   1.1  christos #MaxSessions 10
     36   1.1  christos 
     37   1.1  christos #PubkeyAuthentication yes
     38   1.8  christos 
     39   1.8  christos # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
     40   1.8  christos # but this is overridden so installations will only check .ssh/authorized_keys
     41   1.8  christos AuthorizedKeysFile	.ssh/authorized_keys
     42   1.1  christos 
     43   1.9  christos #AuthorizedPrincipalsFile none
     44   1.9  christos 
     45  1.10  christos #AuthorizedKeysCommand none
     46  1.10  christos #AuthorizedKeysCommandUser nobody
     47  1.10  christos 
     48   1.1  christos # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
     49   1.1  christos #HostbasedAuthentication no
     50   1.1  christos # Change to yes if you don't trust ~/.ssh/known_hosts for
     51  1.18  christos # HostbasedAuthentication
     52   1.1  christos #IgnoreUserKnownHosts no
     53   1.1  christos # Don't read the user's ~/.rhosts and ~/.shosts files
     54   1.1  christos #IgnoreRhosts yes
     55   1.1  christos 
     56  1.24       kim # To disable password authentication, set this and UsePAM to no
     57   1.1  christos #PasswordAuthentication yes
     58   1.1  christos #PermitEmptyPasswords no
     59   1.1  christos 
     60   1.1  christos # Change to no to disable s/key passwords
     61  1.26  christos #KbdInteractiveAuthentication yes
     62   1.1  christos 
     63  1.25       kim # Kerberos options
     64  1.25       kim #KerberosAuthentication no
     65  1.25       kim #KerberosOrLocalPasswd yes
     66  1.25       kim #KerberosTicketCleanup yes
     67  1.25       kim #KerberosGetAFSToken no
     68  1.25       kim 
     69  1.25       kim # GSSAPI options
     70  1.25       kim #GSSAPIAuthentication no
     71  1.25       kim #GSSAPICleanupCredentials yes
     72  1.25       kim 
     73  1.25       kim # Set this to 'yes' to enable PAM authentication, account processing,
     74  1.25       kim # and session processing. If this is enabled, PAM authentication will
     75  1.27        he # be allowed through the KbdInteractiveAuthentication and
     76  1.27        he # PasswordAuthentication settings.  Depending on your PAM configuration,
     77  1.27        he # PAM authentication via KbdInteractiveAuthentication may bypass
     78  1.25       kim # the setting of "PermitRootLogin without-password".
     79  1.25       kim # If you just want the PAM account and session checks to run without
     80  1.25       kim # PAM authentication, then enable this but set PasswordAuthentication
     81  1.27        he # and KbdInteractiveAuthentication to 'no'.
     82  1.25       kim UsePAM yes
     83  1.25       kim 
     84   1.1  christos #AllowAgentForwarding yes
     85   1.1  christos #AllowTcpForwarding yes
     86   1.1  christos #GatewayPorts no
     87   1.1  christos #X11Forwarding no
     88   1.2  christos # If you use xorg from pkgsrc then uncomment the following line.
     89   1.2  christos #XAuthLocation /usr/pkg/bin/xauth
     90   1.1  christos #X11DisplayOffset 10
     91   1.1  christos #X11UseLocalhost yes
     92  1.12  christos #PermitTTY yes
     93   1.1  christos #PrintMotd yes
     94   1.1  christos #PrintLastLog yes
     95   1.1  christos #TCPKeepAlive yes
     96   1.1  christos #PermitUserEnvironment no
     97   1.1  christos #Compression delayed
     98   1.1  christos #ClientAliveInterval 0
     99   1.1  christos #ClientAliveCountMax 3
    100  1.13  christos #UseDNS no
    101   1.1  christos #PidFile /var/run/sshd.pid
    102  1.10  christos #MaxStartups 10:30:100
    103   1.1  christos #PermitTunnel no
    104   1.1  christos #ChrootDirectory none
    105   1.9  christos #VersionAddendum none
    106   1.1  christos 
    107   1.1  christos # no default banner path
    108   1.1  christos #Banner none
    109   1.1  christos 
    110   1.5      adam # here are the new patched ldap related tokens
    111   1.5      adam # entries in your LDAP must have posixAccount & ldapPublicKey objectclass
    112   1.5      adam #UseLPK yes
    113   1.5      adam #LpkLdapConf /etc/ldap.conf
    114   1.5      adam #LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
    115   1.5      adam #LpkUserDN   ou=users,dc=phear,dc=org
    116   1.5      adam #LpkGroupDN  ou=groups,dc=phear,dc=org
    117   1.5      adam #LpkBindDN cn=Manager,dc=phear,dc=org
    118   1.5      adam #LpkBindPw secret
    119   1.5      adam #LpkServerGroup mail
    120   1.5      adam #LpkFilter (hostAccess=master.phear.org)
    121   1.5      adam #LpkForceTLS no
    122   1.5      adam #LpkSearchTimelimit 3
    123   1.5      adam #LpkBindTimelimit 3
    124   1.5      adam #LpkPubKeyAttr sshPublicKey
    125   1.5      adam 
    126   1.1  christos # override default of no subsystems
    127   1.1  christos Subsystem	sftp	/usr/libexec/sftp-server
    128   1.1  christos 
    129   1.2  christos # the following are HPN related configuration options
    130   1.2  christos # tcp receive buffer polling. disable in non autotuning kernels
    131   1.2  christos #TcpRcvBufPoll yes
    132   1.3    dyoung 
    133   1.2  christos # allow the use of the none cipher
    134   1.2  christos #NoneEnabled no
    135   1.2  christos 
    136   1.3    dyoung # disable hpn performance boosts.
    137  1.28       nia HPNDisabled yes
    138   1.2  christos 
    139   1.2  christos # buffer size for hpn to non-hpn connections
    140   1.2  christos #HPNBufferSize 2048
    141   1.2  christos 
    142   1.1  christos # Example of overriding settings on a per-user basis
    143   1.1  christos #Match User anoncvs
    144   1.1  christos #	X11Forwarding no
    145   1.1  christos #	AllowTcpForwarding no
    146  1.12  christos #	PermitTTY no
    147   1.1  christos #	ForceCommand cvs server
    148