xref: /freebsd/crypto/openssh/sshd_config (revision e146993e33182e13df79b5a957f2734f663fd836) 
1*e146993eSDag-Erling Smørgrav#	$OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
21f334c7bSDag-Erling Smørgrav#	$FreeBSD$
3511b41d2SMark Murray
480628bacSDag-Erling Smørgrav# This is the sshd server system-wide configuration file.  See
580628bacSDag-Erling Smørgrav# sshd_config(5) for more information.
6ca3176e7SBrian Feldman
7989dd127SDag-Erling Smørgrav# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8989dd127SDag-Erling Smørgrav
9af12a3e7SDag-Erling Smørgrav# The strategy used for options in the default sshd_config shipped with
10af12a3e7SDag-Erling Smørgrav# OpenSSH is to specify options with their default value where
11*e146993eSDag-Erling Smørgrav# possible, but leave them commented.  Uncommented options override the
12af12a3e7SDag-Erling Smørgrav# default value.
13af12a3e7SDag-Erling Smørgrav
141f334c7bSDag-Erling Smørgrav# Note that some of FreeBSD's defaults differ from OpenBSD's, and
151f334c7bSDag-Erling Smørgrav# FreeBSD has a few additional options.
161f334c7bSDag-Erling Smørgrav
17*e146993eSDag-Erling Smørgrav#VersionAddendum FreeBSD-20111001
181f334c7bSDag-Erling Smørgrav
19af12a3e7SDag-Erling Smørgrav#Port 22
20aa49c926SDag-Erling Smørgrav#AddressFamily any
21511b41d2SMark Murray#ListenAddress 0.0.0.0
22511b41d2SMark Murray#ListenAddress ::
2309958426SBrian Feldman
24b15c8340SDag-Erling Smørgrav# The default requires explicit activation of protocol 1
25b15c8340SDag-Erling Smørgrav#Protocol 2
26d4af9e69SDag-Erling Smørgrav
27af12a3e7SDag-Erling Smørgrav# HostKey for protocol version 1
28af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_key
29af12a3e7SDag-Erling Smørgrav# HostKeys for protocol version 2
30d4af9e69SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_rsa_key
31af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_dsa_key
324a421b63SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_ecdsa_key
33af12a3e7SDag-Erling Smørgrav
34af12a3e7SDag-Erling Smørgrav# Lifetime and size of ephemeral version 1 server key
35cf2b5f3bSDag-Erling Smørgrav#KeyRegenerationInterval 1h
36d4af9e69SDag-Erling Smørgrav#ServerKeyBits 1024
37511b41d2SMark Murray
38511b41d2SMark Murray# Logging
39511b41d2SMark Murray# obsoletes QuietMode and FascistLogging
40af12a3e7SDag-Erling Smørgrav#SyslogFacility AUTH
41af12a3e7SDag-Erling Smørgrav#LogLevel INFO
42511b41d2SMark Murray
43af12a3e7SDag-Erling Smørgrav# Authentication:
44af12a3e7SDag-Erling Smørgrav
45cf2b5f3bSDag-Erling Smørgrav#LoginGraceTime 2m
461f334c7bSDag-Erling Smørgrav#PermitRootLogin no
47af12a3e7SDag-Erling Smørgrav#StrictModes yes
4821e764dfSDag-Erling Smørgrav#MaxAuthTries 6
49d4af9e69SDag-Erling Smørgrav#MaxSessions 10
50af12a3e7SDag-Erling Smørgrav
51af12a3e7SDag-Erling Smørgrav#RSAAuthentication yes
52af12a3e7SDag-Erling Smørgrav#PubkeyAuthentication yes
53*e146993eSDag-Erling Smørgrav
54*e146993eSDag-Erling Smørgrav# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
55*e146993eSDag-Erling Smørgrav# but this is overridden so installations will only check .ssh/authorized_keys
56*e146993eSDag-Erling SmørgravAuthorizedKeysFile	.ssh/authorized_keys
57af12a3e7SDag-Erling Smørgrav
58af12a3e7SDag-Erling Smørgrav# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
59af12a3e7SDag-Erling Smørgrav#RhostsRSAAuthentication no
60ca3176e7SBrian Feldman# similar for protocol version 2
61af12a3e7SDag-Erling Smørgrav#HostbasedAuthentication no
62af12a3e7SDag-Erling Smørgrav# Change to yes if you don't trust ~/.ssh/known_hosts for
63af12a3e7SDag-Erling Smørgrav# RhostsRSAAuthentication and HostbasedAuthentication
64af12a3e7SDag-Erling Smørgrav#IgnoreUserKnownHosts no
65cf2b5f3bSDag-Erling Smørgrav# Don't read the user's ~/.rhosts and ~/.shosts files
66cf2b5f3bSDag-Erling Smørgrav#IgnoreRhosts yes
67511b41d2SMark Murray
68b909c84bSDag-Erling Smørgrav# Change to yes to enable built-in password authentication.
69b909c84bSDag-Erling Smørgrav#PasswordAuthentication no
70af12a3e7SDag-Erling Smørgrav#PermitEmptyPasswords no
71ca3176e7SBrian Feldman
7253282320SDag-Erling Smørgrav# Change to no to disable PAM authentication
7380241871SDag-Erling Smørgrav#ChallengeResponseAuthentication yes
74511b41d2SMark Murray
75af12a3e7SDag-Erling Smørgrav# Kerberos options
7680628bacSDag-Erling Smørgrav#KerberosAuthentication no
77511b41d2SMark Murray#KerberosOrLocalPasswd yes
78af12a3e7SDag-Erling Smørgrav#KerberosTicketCleanup yes
791ec0d754SDag-Erling Smørgrav#KerberosGetAFSToken no
80511b41d2SMark Murray
81cf2b5f3bSDag-Erling Smørgrav# GSSAPI options
82cf2b5f3bSDag-Erling Smørgrav#GSSAPIAuthentication no
831ec0d754SDag-Erling Smørgrav#GSSAPICleanupCredentials yes
84511b41d2SMark Murray
8521e764dfSDag-Erling Smørgrav# Set this to 'no' to disable PAM authentication, account processing,
8621e764dfSDag-Erling Smørgrav# and session processing. If this is enabled, PAM authentication will
87333ee039SDag-Erling Smørgrav# be allowed through the ChallengeResponseAuthentication and
88333ee039SDag-Erling Smørgrav# PasswordAuthentication.  Depending on your PAM configuration,
89333ee039SDag-Erling Smørgrav# PAM authentication via ChallengeResponseAuthentication may bypass
90333ee039SDag-Erling Smørgrav# the setting of "PermitRootLogin without-password".
91333ee039SDag-Erling Smørgrav# If you just want the PAM account and session checks to run without
92333ee039SDag-Erling Smørgrav# PAM authentication, then enable this but set PasswordAuthentication
93333ee039SDag-Erling Smørgrav# and ChallengeResponseAuthentication to 'no'.
94d2b1b4f3SDag-Erling Smørgrav#UsePAM yes
95af12a3e7SDag-Erling Smørgrav
96d4af9e69SDag-Erling Smørgrav#AllowAgentForwarding yes
97cf2b5f3bSDag-Erling Smørgrav#AllowTcpForwarding yes
98cf2b5f3bSDag-Erling Smørgrav#GatewayPorts no
991f334c7bSDag-Erling Smørgrav#X11Forwarding yes
100af12a3e7SDag-Erling Smørgrav#X11DisplayOffset 10
101af12a3e7SDag-Erling Smørgrav#X11UseLocalhost yes
102af12a3e7SDag-Erling Smørgrav#PrintMotd yes
103af12a3e7SDag-Erling Smørgrav#PrintLastLog yes
1041ec0d754SDag-Erling Smørgrav#TCPKeepAlive yes
105511b41d2SMark Murray#UseLogin no
106989dd127SDag-Erling Smørgrav#UsePrivilegeSeparation yes
107f388f5efSDag-Erling Smørgrav#PermitUserEnvironment no
108d4ecd108SDag-Erling Smørgrav#Compression delayed
109cf2b5f3bSDag-Erling Smørgrav#ClientAliveInterval 0
110cf2b5f3bSDag-Erling Smørgrav#ClientAliveCountMax 3
111cf2b5f3bSDag-Erling Smørgrav#UseDNS yes
112cf2b5f3bSDag-Erling Smørgrav#PidFile /var/run/sshd.pid
113af12a3e7SDag-Erling Smørgrav#MaxStartups 10
114b74df5b2SDag-Erling Smørgrav#PermitTunnel no
115d4af9e69SDag-Erling Smørgrav#ChrootDirectory none
116cf2b5f3bSDag-Erling Smørgrav
117af12a3e7SDag-Erling Smørgrav# no default banner path
118d4af9e69SDag-Erling Smørgrav#Banner none
119ca3176e7SBrian Feldman
120af12a3e7SDag-Erling Smørgrav# override default of no subsystems
121ca3176e7SBrian FeldmanSubsystem	sftp	/usr/libexec/sftp-server
122333ee039SDag-Erling Smørgrav
12389986192SBrooks Davis# Disable HPN tuning improvements.
12489986192SBrooks Davis#HPNDisabled no
12589986192SBrooks Davis
12689986192SBrooks Davis# Buffer size for HPN to non-HPN connections.
12789986192SBrooks Davis#HPNBufferSize 2048
12889986192SBrooks Davis
12989986192SBrooks Davis# TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels.
13089986192SBrooks Davis#TcpRcvBufPoll yes
13189986192SBrooks Davis
13289986192SBrooks Davis# Allow the use of the NONE cipher.
13389986192SBrooks Davis#NoneEnabled no
13489986192SBrooks Davis
135333ee039SDag-Erling Smørgrav# Example of overriding settings on a per-user basis
136333ee039SDag-Erling Smørgrav#Match User anoncvs
137333ee039SDag-Erling Smørgrav#	X11Forwarding no
138333ee039SDag-Erling Smørgrav#	AllowTcpForwarding no
139333ee039SDag-Erling Smørgrav#	ForceCommand cvs server
140