Home | History | Annotate | Line # | Download | only in dist
sshd_config revision 1.8.2.2 
      1  1.8.2.1      yamt #	$NetBSD: sshd_config,v 1.8.2.2 2014/05/22 13:21:35 yamt Exp $
      2  1.8.2.2      yamt #	$OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
      3      1.1  christos 
      4      1.1  christos # This is the sshd server system-wide configuration file.  See
      5      1.1  christos # sshd_config(5) for more information.
      6      1.1  christos 
      7      1.1  christos # The strategy used for options in the default sshd_config shipped with
      8      1.1  christos # OpenSSH is to specify options with their default value where
      9      1.8  christos # possible, but leave them commented.  Uncommented options override the
     10      1.1  christos # default value.
     11      1.1  christos 
     12      1.1  christos #Port 22
     13      1.1  christos #AddressFamily any
     14      1.1  christos #ListenAddress 0.0.0.0
     15      1.1  christos #ListenAddress ::
     16      1.1  christos 
     17      1.4      adam # The default requires explicit activation of protocol 1
     18      1.4      adam #Protocol 2
     19      1.1  christos 
     20      1.1  christos # HostKey for protocol version 1
     21      1.1  christos #HostKey /etc/ssh/ssh_host_key
     22      1.1  christos # HostKeys for protocol version 2
     23      1.1  christos #HostKey /etc/ssh/ssh_host_rsa_key
     24      1.1  christos #HostKey /etc/ssh/ssh_host_dsa_key
     25      1.7  christos #HostKey /etc/ssh/ssh_host_ecdsa_key
     26      1.1  christos 
     27      1.1  christos # Lifetime and size of ephemeral version 1 server key
     28      1.1  christos #KeyRegenerationInterval 1h
     29      1.1  christos #ServerKeyBits 1024
     30      1.1  christos 
     31  1.8.2.2      yamt # Ciphers and keying
     32  1.8.2.2      yamt #RekeyLimit default none
     33  1.8.2.2      yamt 
     34      1.1  christos # Logging
     35      1.1  christos # obsoletes QuietMode and FascistLogging
     36      1.1  christos #SyslogFacility AUTH
     37      1.1  christos #LogLevel INFO
     38      1.1  christos 
     39      1.1  christos # Authentication:
     40      1.1  christos 
     41      1.2  christos LoginGraceTime 600
     42      1.3    dyoung #PermitRootLogin no
     43      1.1  christos #StrictModes yes
     44      1.1  christos #MaxAuthTries 6
     45      1.1  christos #MaxSessions 10
     46      1.1  christos 
     47      1.1  christos #RSAAuthentication yes
     48      1.1  christos #PubkeyAuthentication yes
     49      1.8  christos 
     50      1.8  christos # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
     51      1.8  christos # but this is overridden so installations will only check .ssh/authorized_keys
     52      1.8  christos AuthorizedKeysFile	.ssh/authorized_keys
     53      1.1  christos 
     54  1.8.2.1      yamt #AuthorizedPrincipalsFile none
     55  1.8.2.1      yamt 
     56  1.8.2.2      yamt #AuthorizedKeysCommand none
     57  1.8.2.2      yamt #AuthorizedKeysCommandUser nobody
     58  1.8.2.2      yamt 
     59      1.1  christos # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
     60      1.1  christos #RhostsRSAAuthentication no
     61      1.1  christos # similar for protocol version 2
     62      1.1  christos #HostbasedAuthentication no
     63      1.1  christos # Change to yes if you don't trust ~/.ssh/known_hosts for
     64      1.1  christos # RhostsRSAAuthentication and HostbasedAuthentication
     65      1.1  christos #IgnoreUserKnownHosts no
     66      1.1  christos # Don't read the user's ~/.rhosts and ~/.shosts files
     67      1.1  christos #IgnoreRhosts yes
     68      1.1  christos 
     69      1.6    jruoho # To disable password authentication, set this and UsePam to no
     70      1.1  christos #PasswordAuthentication yes
     71      1.1  christos #PermitEmptyPasswords no
     72      1.1  christos 
     73      1.1  christos # Change to no to disable s/key passwords
     74      1.1  christos #ChallengeResponseAuthentication yes
     75      1.1  christos 
     76      1.1  christos # Kerberos options
     77      1.1  christos #KerberosAuthentication no
     78      1.1  christos #KerberosOrLocalPasswd yes
     79      1.1  christos #KerberosTicketCleanup yes
     80      1.1  christos #KerberosGetAFSToken no
     81      1.1  christos 
     82      1.1  christos # GSSAPI options
     83      1.1  christos #GSSAPIAuthentication no
     84      1.1  christos #GSSAPICleanupCredentials yes
     85      1.1  christos 
     86      1.1  christos #AllowAgentForwarding yes
     87      1.1  christos #AllowTcpForwarding yes
     88      1.1  christos #GatewayPorts no
     89      1.1  christos #X11Forwarding no
     90      1.2  christos # If you use xorg from pkgsrc then uncomment the following line.
     91      1.2  christos #XAuthLocation /usr/pkg/bin/xauth
     92      1.1  christos #X11DisplayOffset 10
     93      1.1  christos #X11UseLocalhost yes
     94      1.1  christos #PrintMotd yes
     95      1.1  christos #PrintLastLog yes
     96      1.1  christos #TCPKeepAlive yes
     97      1.1  christos #UseLogin no
     98  1.8.2.1      yamt UsePrivilegeSeparation sandbox
     99      1.2  christos UsePam yes
    100      1.1  christos #PermitUserEnvironment no
    101      1.1  christos #Compression delayed
    102      1.1  christos #ClientAliveInterval 0
    103      1.1  christos #ClientAliveCountMax 3
    104      1.1  christos #UseDNS yes
    105      1.1  christos #PidFile /var/run/sshd.pid
    106  1.8.2.2      yamt #MaxStartups 10:30:100
    107      1.1  christos #PermitTunnel no
    108      1.1  christos #ChrootDirectory none
    109  1.8.2.1      yamt #VersionAddendum none
    110      1.1  christos 
    111      1.1  christos # no default banner path
    112      1.1  christos #Banner none
    113      1.1  christos 
    114      1.5      adam # here are the new patched ldap related tokens
    115      1.5      adam # entries in your LDAP must have posixAccount & ldapPublicKey objectclass
    116      1.5      adam #UseLPK yes
    117      1.5      adam #LpkLdapConf /etc/ldap.conf
    118      1.5      adam #LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
    119      1.5      adam #LpkUserDN   ou=users,dc=phear,dc=org
    120      1.5      adam #LpkGroupDN  ou=groups,dc=phear,dc=org
    121      1.5      adam #LpkBindDN cn=Manager,dc=phear,dc=org
    122      1.5      adam #LpkBindPw secret
    123      1.5      adam #LpkServerGroup mail
    124      1.5      adam #LpkFilter (hostAccess=master.phear.org)
    125      1.5      adam #LpkForceTLS no
    126      1.5      adam #LpkSearchTimelimit 3
    127      1.5      adam #LpkBindTimelimit 3
    128      1.5      adam #LpkPubKeyAttr sshPublicKey
    129      1.5      adam 
    130      1.1  christos # override default of no subsystems
    131      1.1  christos Subsystem	sftp	/usr/libexec/sftp-server
    132      1.1  christos 
    133      1.2  christos # the following are HPN related configuration options
    134      1.2  christos # tcp receive buffer polling. disable in non autotuning kernels
    135      1.2  christos #TcpRcvBufPoll yes
    136      1.3    dyoung 
    137      1.2  christos # allow the use of the none cipher
    138      1.2  christos #NoneEnabled no
    139      1.2  christos 
    140      1.3    dyoung # disable hpn performance boosts.
    141      1.2  christos #HPNDisabled no
    142      1.2  christos 
    143      1.2  christos # buffer size for hpn to non-hpn connections
    144      1.2  christos #HPNBufferSize 2048
    145      1.2  christos 
    146      1.2  christos 
    147      1.1  christos # Example of overriding settings on a per-user basis
    148      1.1  christos #Match User anoncvs
    149      1.1  christos #	X11Forwarding no
    150      1.1  christos #	AllowTcpForwarding no
    151      1.1  christos #	ForceCommand cvs server
    152