1# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13# Note that some of FreeBSD's defaults differ from OpenBSD's, and 14# FreeBSD has a few additional options. 15 16#Port 22 17#AddressFamily any 18#ListenAddress 0.0.0.0 19#ListenAddress :: 20 21#HostKey /etc/ssh/ssh_host_rsa_key 22#HostKey /etc/ssh/ssh_host_ecdsa_key 23#HostKey /etc/ssh/ssh_host_ed25519_key 24 25# Ciphers and keying 26#RekeyLimit default none 27 28# Logging 29#SyslogFacility AUTH 30#LogLevel INFO 31 32# Authentication: 33 34#LoginGraceTime 2m 35#PermitRootLogin no 36#StrictModes yes 37#MaxAuthTries 6 38#MaxSessions 10 39 40#PubkeyAuthentication yes 41 42# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 43# but this is overridden so installations will only check .ssh/authorized_keys 44AuthorizedKeysFile .ssh/authorized_keys 45 46#AuthorizedPrincipalsFile none 47 48#AuthorizedKeysCommand none 49#AuthorizedKeysCommandUser nobody 50 51# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 52#HostbasedAuthentication no 53# Change to yes if you don't trust ~/.ssh/known_hosts for 54# HostbasedAuthentication 55#IgnoreUserKnownHosts no 56# Don't read the user's ~/.rhosts and ~/.shosts files 57#IgnoreRhosts yes 58 59# Change to "yes" to enable built-in password authentication. 60# Note that passwords may also be accepted via KbdInteractiveAuthentication. 61#PasswordAuthentication no 62#PermitEmptyPasswords no 63 64# Change to "no" to disable keyboard-interactive authentication. Depending on 65# the system's configuration, this may involve passwords, challenge-response, 66# one-time passwords or some combination of these and other methods. 67# Keyboard interactive authentication is also used for PAM authentication. 68#KbdInteractiveAuthentication yes 69 70# Kerberos options 71#KerberosAuthentication no 72#KerberosOrLocalPasswd yes 73#KerberosTicketCleanup yes 74#KerberosGetAFSToken no 75 76# GSSAPI options 77#GSSAPIAuthentication no 78#GSSAPICleanupCredentials yes 79 80# Set this to 'no' to disable PAM authentication, account processing, 81# and session processing. If this is enabled, PAM authentication will 82# be allowed through the KbdInteractiveAuthentication and 83# PasswordAuthentication. Depending on your PAM configuration, 84# PAM authentication via KbdInteractiveAuthentication may bypass 85# the setting of "PermitRootLogin prohibit-password". 86# If you just want the PAM account and session checks to run without 87# PAM authentication, then enable this but set PasswordAuthentication 88# and KbdInteractiveAuthentication to 'no'. 89#UsePAM yes 90 91#AllowAgentForwarding yes 92#AllowTcpForwarding yes 93#GatewayPorts no 94#X11Forwarding no 95#X11DisplayOffset 10 96#X11UseLocalhost yes 97#PermitTTY yes 98#PrintMotd yes 99#PrintLastLog yes 100#TCPKeepAlive yes 101#PermitUserEnvironment no 102#Compression delayed 103#ClientAliveInterval 0 104#ClientAliveCountMax 3 105#UseDNS yes 106#PidFile /var/run/sshd.pid 107#MaxStartups 10:30:100 108#PermitTunnel no 109#ChrootDirectory none 110#UseBlocklist no 111#VersionAddendum FreeBSD-20250801 112 113# no default banner path 114#Banner none 115 116# override default of no subsystems 117Subsystem sftp /usr/libexec/sftp-server 118 119# Example of overriding settings on a per-user basis 120#Match User anoncvs 121# X11Forwarding no 122# AllowTcpForwarding no 123# PermitTTY no 124# ForceCommand cvs server 125