1262566Sdes# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ 299051Sdes# $FreeBSD$ 357429Smarkm 498684Sdes# This is the sshd server system-wide configuration file. See 598684Sdes# sshd_config(5) for more information. 676262Sgreen 798941Sdes# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 898941Sdes 992559Sdes# The strategy used for options in the default sshd_config shipped with 1092559Sdes# OpenSSH is to specify options with their default value where 11226046Sdes# possible, but leave them commented. Uncommented options override the 1292559Sdes# default value. 1392559Sdes 1499051Sdes# Note that some of FreeBSD's defaults differ from OpenBSD's, and 1599051Sdes# FreeBSD has a few additional options. 1699051Sdes 1792559Sdes#Port 22 18147005Sdes#AddressFamily any 1957429Smarkm#ListenAddress 0.0.0.0 2057429Smarkm#ListenAddress :: 2169591Sgreen 22204917Sdes# The default requires explicit activation of protocol 1 23204917Sdes#Protocol 2 24181111Sdes 2592559Sdes# HostKey for protocol version 1 2692559Sdes#HostKey /etc/ssh/ssh_host_key 2792559Sdes# HostKeys for protocol version 2 28181111Sdes#HostKey /etc/ssh/ssh_host_rsa_key 2992559Sdes#HostKey /etc/ssh/ssh_host_dsa_key 30221420Sdes#HostKey /etc/ssh/ssh_host_ecdsa_key 31262566Sdes#HostKey /etc/ssh/ssh_host_ed25519_key 3257429Smarkm 3392559Sdes# Lifetime and size of ephemeral version 1 server key 34124211Sdes#KeyRegenerationInterval 1h 35181111Sdes#ServerKeyBits 1024 3692559Sdes 37255767Sdes# Ciphers and keying 38255767Sdes#RekeyLimit default none 39255767Sdes 4057429Smarkm# Logging 41149753Sdes# obsoletes QuietMode and FascistLogging 4292559Sdes#SyslogFacility AUTH 4392559Sdes#LogLevel INFO 4457429Smarkm 4592559Sdes# Authentication: 4692559Sdes 47124211Sdes#LoginGraceTime 2m 4899051Sdes#PermitRootLogin no 4992559Sdes#StrictModes yes 50137019Sdes#MaxAuthTries 6 51181111Sdes#MaxSessions 10 5292559Sdes 5392559Sdes#RSAAuthentication yes 5492559Sdes#PubkeyAuthentication yes 5592559Sdes 56226046Sdes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 57248465Sdes#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 58226046Sdes 59240075Sdes#AuthorizedPrincipalsFile none 60240075Sdes 61248619Sdes#AuthorizedKeysCommand none 62248619Sdes#AuthorizedKeysCommandUser nobody 63248619Sdes 6492559Sdes# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 6592559Sdes#RhostsRSAAuthentication no 6676262Sgreen# similar for protocol version 2 6792559Sdes#HostbasedAuthentication no 6892559Sdes# Change to yes if you don't trust ~/.ssh/known_hosts for 6992559Sdes# RhostsRSAAuthentication and HostbasedAuthentication 7092559Sdes#IgnoreUserKnownHosts no 71124211Sdes# Don't read the user's ~/.rhosts and ~/.shosts files 72124211Sdes#IgnoreRhosts yes 7357429Smarkm 74126009Sdes# Change to yes to enable built-in password authentication. 75126009Sdes#PasswordAuthentication no 7692559Sdes#PermitEmptyPasswords no 7776262Sgreen 7899315Sdes# Change to no to disable PAM authentication 7995456Sdes#ChallengeResponseAuthentication yes 8057429Smarkm 8192559Sdes# Kerberos options 8298684Sdes#KerberosAuthentication no 8357429Smarkm#KerberosOrLocalPasswd yes 8492559Sdes#KerberosTicketCleanup yes 85126277Sdes#KerberosGetAFSToken no 8657429Smarkm 87124211Sdes# GSSAPI options 88124211Sdes#GSSAPIAuthentication no 89126277Sdes#GSSAPICleanupCredentials yes 9057429Smarkm 91162856Sdes# Set this to 'no' to disable PAM authentication, account processing, 92262566Sdes# and session processing. If this is enabled, PAM authentication will 93162856Sdes# be allowed through the ChallengeResponseAuthentication and 94162856Sdes# PasswordAuthentication. Depending on your PAM configuration, 95162856Sdes# PAM authentication via ChallengeResponseAuthentication may bypass 96162856Sdes# the setting of "PermitRootLogin without-password". 97162856Sdes# If you just want the PAM account and session checks to run without 98162856Sdes# PAM authentication, then enable this but set PasswordAuthentication 99162856Sdes# and ChallengeResponseAuthentication to 'no'. 100127033Sdes#UsePAM yes 10192559Sdes 102181111Sdes#AllowAgentForwarding yes 103124211Sdes#AllowTcpForwarding yes 104124211Sdes#GatewayPorts no 10599051Sdes#X11Forwarding yes 10692559Sdes#X11DisplayOffset 10 10792559Sdes#X11UseLocalhost yes 108262566Sdes#PermitTTY yes 10992559Sdes#PrintMotd yes 11092559Sdes#PrintLastLog yes 111126277Sdes#TCPKeepAlive yes 11257429Smarkm#UseLogin no 113262566Sdes#UsePrivilegeSeparation sandbox 114106130Sdes#PermitUserEnvironment no 115149753Sdes#Compression delayed 116124211Sdes#ClientAliveInterval 0 117124211Sdes#ClientAliveCountMax 3 118124211Sdes#UseDNS yes 119124211Sdes#PidFile /var/run/sshd.pid 120248619Sdes#MaxStartups 10:30:100 121157019Sdes#PermitTunnel no 122181111Sdes#ChrootDirectory none 123264692Sdes#VersionAddendum FreeBSD-20140420 12465674Skris 12592559Sdes# no default banner path 126181111Sdes#Banner none 12776262Sgreen 12892559Sdes# override default of no subsystems 12976262SgreenSubsystem sftp /usr/libexec/sftp-server 130162856Sdes 131224638Sbrooks# Disable HPN tuning improvements. 132224638Sbrooks#HPNDisabled no 133224638Sbrooks 134224638Sbrooks# Buffer size for HPN to non-HPN connections. 135224638Sbrooks#HPNBufferSize 2048 136224638Sbrooks 137224638Sbrooks# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. 138224638Sbrooks#TcpRcvBufPoll yes 139224638Sbrooks 140224638Sbrooks# Allow the use of the NONE cipher. 141224638Sbrooks#NoneEnabled no 142224638Sbrooks 143162856Sdes# Example of overriding settings on a per-user basis 144162856Sdes#Match User anoncvs 145162856Sdes# X11Forwarding no 146162856Sdes# AllowTcpForwarding no 147262566Sdes# PermitTTY no 148162856Sdes# ForceCommand cvs server 149