sshd_config revision 1.28.4.1
1 1.28.4.1 perseant # $NetBSD: sshd_config,v 1.28.4.1 2025/08/02 05:18:49 perseant Exp $ 2 1.28.4.1 perseant # $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $ 3 1.1 christos 4 1.1 christos # This is the sshd server system-wide configuration file. See 5 1.1 christos # sshd_config(5) for more information. 6 1.1 christos 7 1.1 christos # The strategy used for options in the default sshd_config shipped with 8 1.1 christos # OpenSSH is to specify options with their default value where 9 1.8 christos # possible, but leave them commented. Uncommented options override the 10 1.1 christos # default value. 11 1.1 christos 12 1.1 christos #Port 22 13 1.1 christos #AddressFamily any 14 1.1 christos #ListenAddress 0.0.0.0 15 1.1 christos #ListenAddress :: 16 1.1 christos 17 1.1 christos #HostKey /etc/ssh/ssh_host_rsa_key 18 1.7 christos #HostKey /etc/ssh/ssh_host_ecdsa_key 19 1.12 christos #HostKey /etc/ssh/ssh_host_ed25519_key 20 1.1 christos 21 1.11 christos # Ciphers and keying 22 1.11 christos #RekeyLimit default none 23 1.11 christos 24 1.1 christos # Logging 25 1.1 christos #SyslogFacility AUTH 26 1.1 christos #LogLevel INFO 27 1.1 christos 28 1.1 christos # Authentication: 29 1.1 christos 30 1.19 christos # For slow CPUs, bumped from 2 minutes to 10 31 1.19 christos LoginGraceTime 600 32 1.15 christos #PermitRootLogin prohibit-password 33 1.1 christos #StrictModes yes 34 1.1 christos #MaxAuthTries 6 35 1.1 christos #MaxSessions 10 36 1.1 christos 37 1.1 christos #PubkeyAuthentication yes 38 1.8 christos 39 1.8 christos # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 40 1.8 christos # but this is overridden so installations will only check .ssh/authorized_keys 41 1.8 christos AuthorizedKeysFile .ssh/authorized_keys 42 1.1 christos 43 1.9 christos #AuthorizedPrincipalsFile none 44 1.9 christos 45 1.10 christos #AuthorizedKeysCommand none 46 1.10 christos #AuthorizedKeysCommandUser nobody 47 1.10 christos 48 1.1 christos # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49 1.1 christos #HostbasedAuthentication no 50 1.1 christos # Change to yes if you don't trust ~/.ssh/known_hosts for 51 1.18 christos # HostbasedAuthentication 52 1.1 christos #IgnoreUserKnownHosts no 53 1.1 christos # Don't read the user's ~/.rhosts and ~/.shosts files 54 1.1 christos #IgnoreRhosts yes 55 1.1 christos 56 1.28.4.1 perseant # To disable tunneled clear text passwords, change to "no" here! 57 1.1 christos #PasswordAuthentication yes 58 1.1 christos #PermitEmptyPasswords no 59 1.1 christos 60 1.28.4.1 perseant # Change to "no" to disable keyboard-interactive authentication. Depending on 61 1.28.4.1 perseant # the system's configuration, this may involve passwords, challenge-response, 62 1.28.4.1 perseant # one-time passwords or some combination of these and other methods. 63 1.26 christos #KbdInteractiveAuthentication yes 64 1.1 christos 65 1.25 kim # Kerberos options 66 1.25 kim #KerberosAuthentication no 67 1.25 kim #KerberosOrLocalPasswd yes 68 1.25 kim #KerberosTicketCleanup yes 69 1.25 kim #KerberosGetAFSToken no 70 1.25 kim 71 1.25 kim # GSSAPI options 72 1.25 kim #GSSAPIAuthentication no 73 1.25 kim #GSSAPICleanupCredentials yes 74 1.25 kim 75 1.25 kim # Set this to 'yes' to enable PAM authentication, account processing, 76 1.25 kim # and session processing. If this is enabled, PAM authentication will 77 1.27 he # be allowed through the KbdInteractiveAuthentication and 78 1.27 he # PasswordAuthentication settings. Depending on your PAM configuration, 79 1.27 he # PAM authentication via KbdInteractiveAuthentication may bypass 80 1.25 kim # the setting of "PermitRootLogin without-password". 81 1.25 kim # If you just want the PAM account and session checks to run without 82 1.25 kim # PAM authentication, then enable this but set PasswordAuthentication 83 1.27 he # and KbdInteractiveAuthentication to 'no'. 84 1.25 kim UsePAM yes 85 1.25 kim 86 1.1 christos #AllowAgentForwarding yes 87 1.1 christos #AllowTcpForwarding yes 88 1.1 christos #GatewayPorts no 89 1.1 christos #X11Forwarding no 90 1.2 christos # If you use xorg from pkgsrc then uncomment the following line. 91 1.2 christos #XAuthLocation /usr/pkg/bin/xauth 92 1.1 christos #X11DisplayOffset 10 93 1.1 christos #X11UseLocalhost yes 94 1.12 christos #PermitTTY yes 95 1.1 christos #PrintMotd yes 96 1.1 christos #PrintLastLog yes 97 1.1 christos #TCPKeepAlive yes 98 1.1 christos #PermitUserEnvironment no 99 1.1 christos #Compression delayed 100 1.1 christos #ClientAliveInterval 0 101 1.1 christos #ClientAliveCountMax 3 102 1.13 christos #UseDNS no 103 1.1 christos #PidFile /var/run/sshd.pid 104 1.10 christos #MaxStartups 10:30:100 105 1.1 christos #PermitTunnel no 106 1.1 christos #ChrootDirectory none 107 1.9 christos #VersionAddendum none 108 1.1 christos 109 1.1 christos # no default banner path 110 1.1 christos #Banner none 111 1.1 christos 112 1.5 adam # here are the new patched ldap related tokens 113 1.5 adam # entries in your LDAP must have posixAccount & ldapPublicKey objectclass 114 1.5 adam #UseLPK yes 115 1.5 adam #LpkLdapConf /etc/ldap.conf 116 1.5 adam #LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ 117 1.5 adam #LpkUserDN ou=users,dc=phear,dc=org 118 1.5 adam #LpkGroupDN ou=groups,dc=phear,dc=org 119 1.5 adam #LpkBindDN cn=Manager,dc=phear,dc=org 120 1.5 adam #LpkBindPw secret 121 1.5 adam #LpkServerGroup mail 122 1.5 adam #LpkFilter (hostAccess=master.phear.org) 123 1.5 adam #LpkForceTLS no 124 1.5 adam #LpkSearchTimelimit 3 125 1.5 adam #LpkBindTimelimit 3 126 1.5 adam #LpkPubKeyAttr sshPublicKey 127 1.5 adam 128 1.1 christos # override default of no subsystems 129 1.1 christos Subsystem sftp /usr/libexec/sftp-server 130 1.1 christos 131 1.2 christos # the following are HPN related configuration options 132 1.2 christos # tcp receive buffer polling. disable in non autotuning kernels 133 1.2 christos #TcpRcvBufPoll yes 134 1.3 dyoung 135 1.2 christos # allow the use of the none cipher 136 1.2 christos #NoneEnabled no 137 1.2 christos 138 1.3 dyoung # disable hpn performance boosts. 139 1.28 nia HPNDisabled yes 140 1.2 christos 141 1.2 christos # buffer size for hpn to non-hpn connections 142 1.2 christos #HPNBufferSize 2048 143 1.2 christos 144 1.1 christos # Example of overriding settings on a per-user basis 145 1.1 christos #Match User anoncvs 146 1.1 christos # X11Forwarding no 147 1.1 christos # AllowTcpForwarding no 148 1.12 christos # PermitTTY no 149 1.1 christos # ForceCommand cvs server 150
Indexes created Thu May 14 00:25:00 UTC 2026