xref: /freebsd/crypto/openssh/sshd_config (revision 21e764df0c8084af2d7d6f5ecdaa136ad81246ed)
121e764dfSDag-Erling Smørgrav#	$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
21f334c7bSDag-Erling Smørgrav#	$FreeBSD$
3511b41d2SMark Murray
480628bacSDag-Erling Smørgrav# This is the sshd server system-wide configuration file.  See
580628bacSDag-Erling Smørgrav# sshd_config(5) for more information.
6ca3176e7SBrian Feldman
7989dd127SDag-Erling Smørgrav# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8989dd127SDag-Erling Smørgrav
9af12a3e7SDag-Erling Smørgrav# The strategy used for options in the default sshd_config shipped with
10af12a3e7SDag-Erling Smørgrav# OpenSSH is to specify options with their default value where
11af12a3e7SDag-Erling Smørgrav# possible, but leave them commented.  Uncommented options change a
12af12a3e7SDag-Erling Smørgrav# default value.
13af12a3e7SDag-Erling Smørgrav
141f334c7bSDag-Erling Smørgrav# Note that some of FreeBSD's defaults differ from OpenBSD's, and
151f334c7bSDag-Erling Smørgrav# FreeBSD has a few additional options.
161f334c7bSDag-Erling Smørgrav
1721e764dfSDag-Erling Smørgrav#VersionAddendum FreeBSD-20041028
181f334c7bSDag-Erling Smørgrav
19af12a3e7SDag-Erling Smørgrav#Port 22
20028c324aSDag-Erling Smørgrav#Protocol 2
21511b41d2SMark Murray#ListenAddress 0.0.0.0
22511b41d2SMark Murray#ListenAddress ::
2309958426SBrian Feldman
24af12a3e7SDag-Erling Smørgrav# HostKey for protocol version 1
25af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_key
26af12a3e7SDag-Erling Smørgrav# HostKeys for protocol version 2
27af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_dsa_key
28af12a3e7SDag-Erling Smørgrav
29af12a3e7SDag-Erling Smørgrav# Lifetime and size of ephemeral version 1 server key
30cf2b5f3bSDag-Erling Smørgrav#KeyRegenerationInterval 1h
31af12a3e7SDag-Erling Smørgrav#ServerKeyBits 768
32511b41d2SMark Murray
33511b41d2SMark Murray# Logging
34511b41d2SMark Murray#obsoletes QuietMode and FascistLogging
35af12a3e7SDag-Erling Smørgrav#SyslogFacility AUTH
36af12a3e7SDag-Erling Smørgrav#LogLevel INFO
37511b41d2SMark Murray
38af12a3e7SDag-Erling Smørgrav# Authentication:
39af12a3e7SDag-Erling Smørgrav
40cf2b5f3bSDag-Erling Smørgrav#LoginGraceTime 2m
411f334c7bSDag-Erling Smørgrav#PermitRootLogin no
42af12a3e7SDag-Erling Smørgrav#StrictModes yes
4321e764dfSDag-Erling Smørgrav#MaxAuthTries 6
44af12a3e7SDag-Erling Smørgrav
45af12a3e7SDag-Erling Smørgrav#RSAAuthentication yes
46af12a3e7SDag-Erling Smørgrav#PubkeyAuthentication yes
47af12a3e7SDag-Erling Smørgrav#AuthorizedKeysFile	.ssh/authorized_keys
48af12a3e7SDag-Erling Smørgrav
49af12a3e7SDag-Erling Smørgrav# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50af12a3e7SDag-Erling Smørgrav#RhostsRSAAuthentication no
51ca3176e7SBrian Feldman# similar for protocol version 2
52af12a3e7SDag-Erling Smørgrav#HostbasedAuthentication no
53af12a3e7SDag-Erling Smørgrav# Change to yes if you don't trust ~/.ssh/known_hosts for
54af12a3e7SDag-Erling Smørgrav# RhostsRSAAuthentication and HostbasedAuthentication
55af12a3e7SDag-Erling Smørgrav#IgnoreUserKnownHosts no
56cf2b5f3bSDag-Erling Smørgrav# Don't read the user's ~/.rhosts and ~/.shosts files
57cf2b5f3bSDag-Erling Smørgrav#IgnoreRhosts yes
58511b41d2SMark Murray
59b909c84bSDag-Erling Smørgrav# Change to yes to enable built-in password authentication.
60b909c84bSDag-Erling Smørgrav#PasswordAuthentication no
61af12a3e7SDag-Erling Smørgrav#PermitEmptyPasswords no
62ca3176e7SBrian Feldman
6353282320SDag-Erling Smørgrav# Change to no to disable PAM authentication
6480241871SDag-Erling Smørgrav#ChallengeResponseAuthentication yes
65511b41d2SMark Murray
66af12a3e7SDag-Erling Smørgrav# Kerberos options
6780628bacSDag-Erling Smørgrav#KerberosAuthentication no
68511b41d2SMark Murray#KerberosOrLocalPasswd yes
69af12a3e7SDag-Erling Smørgrav#KerberosTicketCleanup yes
701ec0d754SDag-Erling Smørgrav#KerberosGetAFSToken no
71511b41d2SMark Murray
72cf2b5f3bSDag-Erling Smørgrav# GSSAPI options
73cf2b5f3bSDag-Erling Smørgrav#GSSAPIAuthentication no
741ec0d754SDag-Erling Smørgrav#GSSAPICleanupCredentials yes
75511b41d2SMark Murray
7621e764dfSDag-Erling Smørgrav# Set this to 'no' to disable PAM authentication, account processing,
7721e764dfSDag-Erling Smørgrav# and session processing. If this is enabled, PAM authentication will
7821e764dfSDag-Erling Smørgrav# be allowed through the ChallengeResponseAuthentication mechanism.
7921e764dfSDag-Erling Smørgrav# Depending on your PAM configuration, this may bypass the setting of
8021e764dfSDag-Erling Smørgrav# PasswordAuthentication, PermitEmptyPasswords, and
8121e764dfSDag-Erling Smørgrav# "PermitRootLogin without-password". If you just want the PAM account and
8221e764dfSDag-Erling Smørgrav# session checks to run without PAM authentication, then enable this but set
8321e764dfSDag-Erling Smørgrav# ChallengeResponseAuthentication=no
84d2b1b4f3SDag-Erling Smørgrav#UsePAM yes
85af12a3e7SDag-Erling Smørgrav
86cf2b5f3bSDag-Erling Smørgrav#AllowTcpForwarding yes
87cf2b5f3bSDag-Erling Smørgrav#GatewayPorts no
881f334c7bSDag-Erling Smørgrav#X11Forwarding yes
89af12a3e7SDag-Erling Smørgrav#X11DisplayOffset 10
90af12a3e7SDag-Erling Smørgrav#X11UseLocalhost yes
91af12a3e7SDag-Erling Smørgrav#PrintMotd yes
92af12a3e7SDag-Erling Smørgrav#PrintLastLog yes
931ec0d754SDag-Erling Smørgrav#TCPKeepAlive yes
94511b41d2SMark Murray#UseLogin no
95989dd127SDag-Erling Smørgrav#UsePrivilegeSeparation yes
96f388f5efSDag-Erling Smørgrav#PermitUserEnvironment no
9780628bacSDag-Erling Smørgrav#Compression yes
98cf2b5f3bSDag-Erling Smørgrav#ClientAliveInterval 0
99cf2b5f3bSDag-Erling Smørgrav#ClientAliveCountMax 3
100cf2b5f3bSDag-Erling Smørgrav#UseDNS yes
101cf2b5f3bSDag-Erling Smørgrav#PidFile /var/run/sshd.pid
102af12a3e7SDag-Erling Smørgrav#MaxStartups 10
103cf2b5f3bSDag-Erling Smørgrav
104af12a3e7SDag-Erling Smørgrav# no default banner path
105af12a3e7SDag-Erling Smørgrav#Banner /some/path
106ca3176e7SBrian Feldman
107af12a3e7SDag-Erling Smørgrav# override default of no subsystems
108ca3176e7SBrian FeldmanSubsystem	sftp	/usr/libexec/sftp-server
109