1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13# See sshd_config(5) for details on setting the Port and Listen values on Mac OS X 14#Port 22 15#AddressFamily any 16#ListenAddress 0.0.0.0 17#ListenAddress :: 18 19# The default requires explicit activation of protocol 1 20#Protocol 2 21 22# HostKey for protocol version 1 23#HostKey /etc/ssh/ssh_host_key 24# HostKeys for protocol version 2 25#HostKey /etc/ssh/ssh_host_rsa_key 26#HostKey /etc/ssh/ssh_host_dsa_key 27#HostKey /etc/ssh/ssh_host_ecdsa_key 28 29# Lifetime and size of ephemeral version 1 server key 30#KeyRegenerationInterval 1h 31#ServerKeyBits 1024 32 33# Logging 34# obsoletes QuietMode and FascistLogging 35SyslogFacility AUTHPRIV 36#LogLevel INFO 37 38# Authentication: 39 40#LoginGraceTime 2m 41#PermitRootLogin yes 42#StrictModes yes 43#MaxAuthTries 6 44#MaxSessions 10 45 46#RSAAuthentication yes 47#PubkeyAuthentication yes 48 49# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 50# but this is overridden so installations will only check .ssh/authorized_keys 51AuthorizedKeysFile .ssh/authorized_keys 52 53#AuthorizedPrincipalsFile none 54 55#AuthorizedKeysCommand none 56#AuthorizedKeysCommandUser nobody 57 58# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 59#RhostsRSAAuthentication no 60# similar for protocol version 2 61#HostbasedAuthentication no 62# Change to yes if you don't trust ~/.ssh/known_hosts for 63# RhostsRSAAuthentication and HostbasedAuthentication 64#IgnoreUserKnownHosts no 65# Don't read the user's ~/.rhosts and ~/.shosts files 66#IgnoreRhosts yes 67 68# To disable tunneled clear text passwords both PasswordAuthentication and 69# ChallengeResponseAuthentication must be set to "no". 70#PasswordAuthentication no 71#PermitEmptyPasswords no 72 73# Change to no to disable s/key passwords 74#ChallengeResponseAuthentication yes 75 76# Kerberos options 77#KerberosAuthentication no 78#KerberosOrLocalPasswd yes 79#KerberosTicketCleanup yes 80 81# GSSAPI options 82#GSSAPIAuthentication no 83#GSSAPICleanupCredentials yes 84#GSSAPIStrictAcceptorCheck yes 85#GSSAPIKeyExchange no 86 87# Set this to 'yes' to enable PAM authentication, account processing, 88# and session processing. If this is enabled, PAM authentication will 89# be allowed through the ChallengeResponseAuthentication and 90# PasswordAuthentication. Depending on your PAM configuration, 91# PAM authentication via ChallengeResponseAuthentication may bypass 92# the setting of "PermitRootLogin without-password". 93# If you just want the PAM account and session checks to run without 94# PAM authentication, then enable this but set PasswordAuthentication 95# and ChallengeResponseAuthentication to 'no'. 96# Also, PAM will deny null passwords by default. If you need to allow 97# null passwords, add the " nullok" option to the end of the 98# securityserver.so line in /etc/pam.d/sshd. 99#UsePAM yes 100 101#AllowAgentForwarding yes 102#AllowTcpForwarding yes 103#GatewayPorts no 104#X11Forwarding no 105#XauthLocation xauth # Default is to search $PATH (set by launchd(8)). It is recommended that a full path be provided. 106#X11DisplayOffset 10 107#X11UseLocalhost yes 108#PrintMotd yes 109#PrintLastLog yes 110#TCPKeepAlive yes 111#UseLogin no 112UsePrivilegeSeparation sandbox # Default for new installations. 113#PermitUserEnvironment no 114#Compression delayed 115#ClientAliveInterval 0 116#ClientAliveCountMax 3 117#UseDNS yes 118#PidFile /var/run/sshd.pid 119#MaxStartups 10:30:100 120#PermitTunnel no 121#ChrootDirectory none 122#VersionAddendum none 123 124# pass locale information 125AcceptEnv LANG LC_* 126 127# no default banner path 128#Banner none 129 130# override default of no subsystems 131Subsystem sftp /usr/libexec/sftp-server 132 133# Example of overriding settings on a per-user basis 134#Match User anoncvs 135# X11Forwarding no 136# AllowTcpForwarding no 137# ForceCommand cvs server 138