xref: /freebsd/crypto/openssh/sshd_config (revision b74df5b26fa43e05a034a6ce662dcf286a1ffdd9) 
1b74df5b2SDag-Erling Smørgrav#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
21f334c7bSDag-Erling Smørgrav#	$FreeBSD$
3511b41d2SMark Murray
480628bacSDag-Erling Smørgrav# This is the sshd server system-wide configuration file.  See
580628bacSDag-Erling Smørgrav# sshd_config(5) for more information.
6ca3176e7SBrian Feldman
7989dd127SDag-Erling Smørgrav# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8989dd127SDag-Erling Smørgrav
9af12a3e7SDag-Erling Smørgrav# The strategy used for options in the default sshd_config shipped with
10af12a3e7SDag-Erling Smørgrav# OpenSSH is to specify options with their default value where
11af12a3e7SDag-Erling Smørgrav# possible, but leave them commented.  Uncommented options change a
12af12a3e7SDag-Erling Smørgrav# default value.
13af12a3e7SDag-Erling Smørgrav
141f334c7bSDag-Erling Smørgrav# Note that some of FreeBSD's defaults differ from OpenBSD's, and
151f334c7bSDag-Erling Smørgrav# FreeBSD has a few additional options.
161f334c7bSDag-Erling Smørgrav
17b74df5b2SDag-Erling Smørgrav#VersionAddendum FreeBSD-20060322
181f334c7bSDag-Erling Smørgrav
19af12a3e7SDag-Erling Smørgrav#Port 22
20028c324aSDag-Erling Smørgrav#Protocol 2
21aa49c926SDag-Erling Smørgrav#AddressFamily any
22511b41d2SMark Murray#ListenAddress 0.0.0.0
23511b41d2SMark Murray#ListenAddress ::
2409958426SBrian Feldman
25af12a3e7SDag-Erling Smørgrav# HostKey for protocol version 1
26af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_key
27af12a3e7SDag-Erling Smørgrav# HostKeys for protocol version 2
28af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_dsa_key
29af12a3e7SDag-Erling Smørgrav
30af12a3e7SDag-Erling Smørgrav# Lifetime and size of ephemeral version 1 server key
31cf2b5f3bSDag-Erling Smørgrav#KeyRegenerationInterval 1h
32af12a3e7SDag-Erling Smørgrav#ServerKeyBits 768
33511b41d2SMark Murray
34511b41d2SMark Murray# Logging
35511b41d2SMark Murray# obsoletes QuietMode and FascistLogging
36af12a3e7SDag-Erling Smørgrav#SyslogFacility AUTH
37af12a3e7SDag-Erling Smørgrav#LogLevel INFO
38511b41d2SMark Murray
39af12a3e7SDag-Erling Smørgrav# Authentication:
40af12a3e7SDag-Erling Smørgrav
41cf2b5f3bSDag-Erling Smørgrav#LoginGraceTime 2m
421f334c7bSDag-Erling Smørgrav#PermitRootLogin no
43af12a3e7SDag-Erling Smørgrav#StrictModes yes
4421e764dfSDag-Erling Smørgrav#MaxAuthTries 6
45af12a3e7SDag-Erling Smørgrav
46af12a3e7SDag-Erling Smørgrav#RSAAuthentication yes
47af12a3e7SDag-Erling Smørgrav#PubkeyAuthentication yes
48af12a3e7SDag-Erling Smørgrav#AuthorizedKeysFile	.ssh/authorized_keys
49af12a3e7SDag-Erling Smørgrav
50af12a3e7SDag-Erling Smørgrav# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
51af12a3e7SDag-Erling Smørgrav#RhostsRSAAuthentication no
52ca3176e7SBrian Feldman# similar for protocol version 2
53af12a3e7SDag-Erling Smørgrav#HostbasedAuthentication no
54af12a3e7SDag-Erling Smørgrav# Change to yes if you don't trust ~/.ssh/known_hosts for
55af12a3e7SDag-Erling Smørgrav# RhostsRSAAuthentication and HostbasedAuthentication
56af12a3e7SDag-Erling Smørgrav#IgnoreUserKnownHosts no
57cf2b5f3bSDag-Erling Smørgrav# Don't read the user's ~/.rhosts and ~/.shosts files
58cf2b5f3bSDag-Erling Smørgrav#IgnoreRhosts yes
59511b41d2SMark Murray
60b909c84bSDag-Erling Smørgrav# Change to yes to enable built-in password authentication.
61b909c84bSDag-Erling Smørgrav#PasswordAuthentication no
62af12a3e7SDag-Erling Smørgrav#PermitEmptyPasswords no
63ca3176e7SBrian Feldman
6453282320SDag-Erling Smørgrav# Change to no to disable PAM authentication
6580241871SDag-Erling Smørgrav#ChallengeResponseAuthentication yes
66511b41d2SMark Murray
67af12a3e7SDag-Erling Smørgrav# Kerberos options
6880628bacSDag-Erling Smørgrav#KerberosAuthentication no
69511b41d2SMark Murray#KerberosOrLocalPasswd yes
70af12a3e7SDag-Erling Smørgrav#KerberosTicketCleanup yes
711ec0d754SDag-Erling Smørgrav#KerberosGetAFSToken no
72511b41d2SMark Murray
73cf2b5f3bSDag-Erling Smørgrav# GSSAPI options
74cf2b5f3bSDag-Erling Smørgrav#GSSAPIAuthentication no
751ec0d754SDag-Erling Smørgrav#GSSAPICleanupCredentials yes
76511b41d2SMark Murray
7721e764dfSDag-Erling Smørgrav# Set this to 'no' to disable PAM authentication, account processing,
7821e764dfSDag-Erling Smørgrav# and session processing. If this is enabled, PAM authentication will
7921e764dfSDag-Erling Smørgrav# be allowed through the ChallengeResponseAuthentication mechanism.
8021e764dfSDag-Erling Smørgrav# Depending on your PAM configuration, this may bypass the setting of
8121e764dfSDag-Erling Smørgrav# PasswordAuthentication, PermitEmptyPasswords, and
8221e764dfSDag-Erling Smørgrav# "PermitRootLogin without-password". If you just want the PAM account and
8321e764dfSDag-Erling Smørgrav# session checks to run without PAM authentication, then enable this but set
8421e764dfSDag-Erling Smørgrav# ChallengeResponseAuthentication=no
85d2b1b4f3SDag-Erling Smørgrav#UsePAM yes
86af12a3e7SDag-Erling Smørgrav
87cf2b5f3bSDag-Erling Smørgrav#AllowTcpForwarding yes
88cf2b5f3bSDag-Erling Smørgrav#GatewayPorts no
891f334c7bSDag-Erling Smørgrav#X11Forwarding yes
90af12a3e7SDag-Erling Smørgrav#X11DisplayOffset 10
91af12a3e7SDag-Erling Smørgrav#X11UseLocalhost yes
92af12a3e7SDag-Erling Smørgrav#PrintMotd yes
93af12a3e7SDag-Erling Smørgrav#PrintLastLog yes
941ec0d754SDag-Erling Smørgrav#TCPKeepAlive yes
95511b41d2SMark Murray#UseLogin no
96989dd127SDag-Erling Smørgrav#UsePrivilegeSeparation yes
97f388f5efSDag-Erling Smørgrav#PermitUserEnvironment no
98d4ecd108SDag-Erling Smørgrav#Compression delayed
99cf2b5f3bSDag-Erling Smørgrav#ClientAliveInterval 0
100cf2b5f3bSDag-Erling Smørgrav#ClientAliveCountMax 3
101cf2b5f3bSDag-Erling Smørgrav#UseDNS yes
102cf2b5f3bSDag-Erling Smørgrav#PidFile /var/run/sshd.pid
103af12a3e7SDag-Erling Smørgrav#MaxStartups 10
104b74df5b2SDag-Erling Smørgrav#PermitTunnel no
105cf2b5f3bSDag-Erling Smørgrav
106af12a3e7SDag-Erling Smørgrav# no default banner path
107af12a3e7SDag-Erling Smørgrav#Banner /some/path
108ca3176e7SBrian Feldman
109af12a3e7SDag-Erling Smørgrav# override default of no subsystems
110ca3176e7SBrian FeldmanSubsystem	sftp	/usr/libexec/sftp-server
111