121e764dfSDag-Erling Smørgrav# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ 21f334c7bSDag-Erling Smørgrav# $FreeBSD$ 3511b41d2SMark Murray 480628bacSDag-Erling Smørgrav# This is the sshd server system-wide configuration file. See 580628bacSDag-Erling Smørgrav# sshd_config(5) for more information. 6ca3176e7SBrian Feldman 7989dd127SDag-Erling Smørgrav# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8989dd127SDag-Erling Smørgrav 9af12a3e7SDag-Erling Smørgrav# The strategy used for options in the default sshd_config shipped with 10af12a3e7SDag-Erling Smørgrav# OpenSSH is to specify options with their default value where 11af12a3e7SDag-Erling Smørgrav# possible, but leave them commented. Uncommented options change a 12af12a3e7SDag-Erling Smørgrav# default value. 13af12a3e7SDag-Erling Smørgrav 141f334c7bSDag-Erling Smørgrav# Note that some of FreeBSD's defaults differ from OpenBSD's, and 151f334c7bSDag-Erling Smørgrav# FreeBSD has a few additional options. 161f334c7bSDag-Erling Smørgrav 1721e764dfSDag-Erling Smørgrav#VersionAddendum FreeBSD-20041028 181f334c7bSDag-Erling Smørgrav 19af12a3e7SDag-Erling Smørgrav#Port 22 20028c324aSDag-Erling Smørgrav#Protocol 2 21511b41d2SMark Murray#ListenAddress 0.0.0.0 22511b41d2SMark Murray#ListenAddress :: 2309958426SBrian Feldman 24af12a3e7SDag-Erling Smørgrav# HostKey for protocol version 1 25af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_key 26af12a3e7SDag-Erling Smørgrav# HostKeys for protocol version 2 27af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_dsa_key 28af12a3e7SDag-Erling Smørgrav 29af12a3e7SDag-Erling Smørgrav# Lifetime and size of ephemeral version 1 server key 30cf2b5f3bSDag-Erling Smørgrav#KeyRegenerationInterval 1h 31af12a3e7SDag-Erling Smørgrav#ServerKeyBits 768 32511b41d2SMark Murray 33511b41d2SMark Murray# Logging 34511b41d2SMark Murray#obsoletes QuietMode and FascistLogging 35af12a3e7SDag-Erling Smørgrav#SyslogFacility AUTH 36af12a3e7SDag-Erling Smørgrav#LogLevel INFO 37511b41d2SMark Murray 38af12a3e7SDag-Erling Smørgrav# Authentication: 39af12a3e7SDag-Erling Smørgrav 40cf2b5f3bSDag-Erling Smørgrav#LoginGraceTime 2m 411f334c7bSDag-Erling Smørgrav#PermitRootLogin no 42af12a3e7SDag-Erling Smørgrav#StrictModes yes 4321e764dfSDag-Erling Smørgrav#MaxAuthTries 6 44af12a3e7SDag-Erling Smørgrav 45af12a3e7SDag-Erling Smørgrav#RSAAuthentication yes 46af12a3e7SDag-Erling Smørgrav#PubkeyAuthentication yes 47af12a3e7SDag-Erling Smørgrav#AuthorizedKeysFile .ssh/authorized_keys 48af12a3e7SDag-Erling Smørgrav 49af12a3e7SDag-Erling Smørgrav# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 50af12a3e7SDag-Erling Smørgrav#RhostsRSAAuthentication no 51ca3176e7SBrian Feldman# similar for protocol version 2 52af12a3e7SDag-Erling Smørgrav#HostbasedAuthentication no 53af12a3e7SDag-Erling Smørgrav# Change to yes if you don't trust ~/.ssh/known_hosts for 54af12a3e7SDag-Erling Smørgrav# RhostsRSAAuthentication and HostbasedAuthentication 55af12a3e7SDag-Erling Smørgrav#IgnoreUserKnownHosts no 56cf2b5f3bSDag-Erling Smørgrav# Don't read the user's ~/.rhosts and ~/.shosts files 57cf2b5f3bSDag-Erling Smørgrav#IgnoreRhosts yes 58511b41d2SMark Murray 59b909c84bSDag-Erling Smørgrav# Change to yes to enable built-in password authentication. 60b909c84bSDag-Erling Smørgrav#PasswordAuthentication no 61af12a3e7SDag-Erling Smørgrav#PermitEmptyPasswords no 62ca3176e7SBrian Feldman 6353282320SDag-Erling Smørgrav# Change to no to disable PAM authentication 6480241871SDag-Erling Smørgrav#ChallengeResponseAuthentication yes 65511b41d2SMark Murray 66af12a3e7SDag-Erling Smørgrav# Kerberos options 6780628bacSDag-Erling Smørgrav#KerberosAuthentication no 68511b41d2SMark Murray#KerberosOrLocalPasswd yes 69af12a3e7SDag-Erling Smørgrav#KerberosTicketCleanup yes 701ec0d754SDag-Erling Smørgrav#KerberosGetAFSToken no 71511b41d2SMark Murray 72cf2b5f3bSDag-Erling Smørgrav# GSSAPI options 73cf2b5f3bSDag-Erling Smørgrav#GSSAPIAuthentication no 741ec0d754SDag-Erling Smørgrav#GSSAPICleanupCredentials yes 75511b41d2SMark Murray 7621e764dfSDag-Erling Smørgrav# Set this to 'no' to disable PAM authentication, account processing, 7721e764dfSDag-Erling Smørgrav# and session processing. If this is enabled, PAM authentication will 7821e764dfSDag-Erling Smørgrav# be allowed through the ChallengeResponseAuthentication mechanism. 7921e764dfSDag-Erling Smørgrav# Depending on your PAM configuration, this may bypass the setting of 8021e764dfSDag-Erling Smørgrav# PasswordAuthentication, PermitEmptyPasswords, and 8121e764dfSDag-Erling Smørgrav# "PermitRootLogin without-password". If you just want the PAM account and 8221e764dfSDag-Erling Smørgrav# session checks to run without PAM authentication, then enable this but set 8321e764dfSDag-Erling Smørgrav# ChallengeResponseAuthentication=no 84d2b1b4f3SDag-Erling Smørgrav#UsePAM yes 85af12a3e7SDag-Erling Smørgrav 86cf2b5f3bSDag-Erling Smørgrav#AllowTcpForwarding yes 87cf2b5f3bSDag-Erling Smørgrav#GatewayPorts no 881f334c7bSDag-Erling Smørgrav#X11Forwarding yes 89af12a3e7SDag-Erling Smørgrav#X11DisplayOffset 10 90af12a3e7SDag-Erling Smørgrav#X11UseLocalhost yes 91af12a3e7SDag-Erling Smørgrav#PrintMotd yes 92af12a3e7SDag-Erling Smørgrav#PrintLastLog yes 931ec0d754SDag-Erling Smørgrav#TCPKeepAlive yes 94511b41d2SMark Murray#UseLogin no 95989dd127SDag-Erling Smørgrav#UsePrivilegeSeparation yes 96f388f5efSDag-Erling Smørgrav#PermitUserEnvironment no 9780628bacSDag-Erling Smørgrav#Compression yes 98cf2b5f3bSDag-Erling Smørgrav#ClientAliveInterval 0 99cf2b5f3bSDag-Erling Smørgrav#ClientAliveCountMax 3 100cf2b5f3bSDag-Erling Smørgrav#UseDNS yes 101cf2b5f3bSDag-Erling Smørgrav#PidFile /var/run/sshd.pid 102af12a3e7SDag-Erling Smørgrav#MaxStartups 10 103cf2b5f3bSDag-Erling Smørgrav 104af12a3e7SDag-Erling Smørgrav# no default banner path 105af12a3e7SDag-Erling Smørgrav#Banner /some/path 106ca3176e7SBrian Feldman 107af12a3e7SDag-Erling Smørgrav# override default of no subsystems 108ca3176e7SBrian FeldmanSubsystem sftp /usr/libexec/sftp-server 109