xref: /freebsd/crypto/openssh/sshd_config (revision f388f5ef2694c14a9c45d0b328d12bdc2c2e6d83) 
1f388f5efSDag-Erling Smørgrav#	$OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
21f334c7bSDag-Erling Smørgrav#	$FreeBSD$
3511b41d2SMark Murray
480628bacSDag-Erling Smørgrav# This is the sshd server system-wide configuration file.  See
580628bacSDag-Erling Smørgrav# sshd_config(5) for more information.
6ca3176e7SBrian Feldman
7989dd127SDag-Erling Smørgrav# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8989dd127SDag-Erling Smørgrav
9af12a3e7SDag-Erling Smørgrav# The strategy used for options in the default sshd_config shipped with
10af12a3e7SDag-Erling Smørgrav# OpenSSH is to specify options with their default value where
11af12a3e7SDag-Erling Smørgrav# possible, but leave them commented.  Uncommented options change a
12af12a3e7SDag-Erling Smørgrav# default value.
13af12a3e7SDag-Erling Smørgrav
141f334c7bSDag-Erling Smørgrav# Note that some of FreeBSD's defaults differ from OpenBSD's, and
151f334c7bSDag-Erling Smørgrav# FreeBSD has a few additional options.
161f334c7bSDag-Erling Smørgrav
179a979375SDag-Erling Smørgrav#VersionAddendum FreeBSD-20020629
181f334c7bSDag-Erling Smørgrav
19af12a3e7SDag-Erling Smørgrav#Port 22
20e8aafc91SKris Kennaway#Protocol 2,1
21511b41d2SMark Murray#ListenAddress 0.0.0.0
22511b41d2SMark Murray#ListenAddress ::
2309958426SBrian Feldman
24af12a3e7SDag-Erling Smørgrav# HostKey for protocol version 1
25af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_key
26af12a3e7SDag-Erling Smørgrav# HostKeys for protocol version 2
27af12a3e7SDag-Erling Smørgrav#HostKey /etc/ssh/ssh_host_dsa_key
28af12a3e7SDag-Erling Smørgrav
29af12a3e7SDag-Erling Smørgrav# Lifetime and size of ephemeral version 1 server key
30af12a3e7SDag-Erling Smørgrav#KeyRegenerationInterval 3600
31af12a3e7SDag-Erling Smørgrav#ServerKeyBits 768
32511b41d2SMark Murray
33511b41d2SMark Murray# Logging
34511b41d2SMark Murray#obsoletes QuietMode and FascistLogging
35af12a3e7SDag-Erling Smørgrav#SyslogFacility AUTH
36af12a3e7SDag-Erling Smørgrav#LogLevel INFO
37511b41d2SMark Murray
38af12a3e7SDag-Erling Smørgrav# Authentication:
39af12a3e7SDag-Erling Smørgrav
401f334c7bSDag-Erling Smørgrav#LoginGraceTime 120
411f334c7bSDag-Erling Smørgrav#PermitRootLogin no
42af12a3e7SDag-Erling Smørgrav#StrictModes yes
43af12a3e7SDag-Erling Smørgrav
44af12a3e7SDag-Erling Smørgrav#RSAAuthentication yes
45af12a3e7SDag-Erling Smørgrav#PubkeyAuthentication yes
46af12a3e7SDag-Erling Smørgrav#AuthorizedKeysFile	.ssh/authorized_keys
47af12a3e7SDag-Erling Smørgrav
48af12a3e7SDag-Erling Smørgrav# rhosts authentication should not be used
49af12a3e7SDag-Erling Smørgrav#RhostsAuthentication no
50af12a3e7SDag-Erling Smørgrav# Don't read the user's ~/.rhosts and ~/.shosts files
51af12a3e7SDag-Erling Smørgrav#IgnoreRhosts yes
52af12a3e7SDag-Erling Smørgrav# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
53af12a3e7SDag-Erling Smørgrav#RhostsRSAAuthentication no
54ca3176e7SBrian Feldman# similar for protocol version 2
55af12a3e7SDag-Erling Smørgrav#HostbasedAuthentication no
56af12a3e7SDag-Erling Smørgrav# Change to yes if you don't trust ~/.ssh/known_hosts for
57af12a3e7SDag-Erling Smørgrav# RhostsRSAAuthentication and HostbasedAuthentication
58af12a3e7SDag-Erling Smørgrav#IgnoreUserKnownHosts no
59511b41d2SMark Murray
60511b41d2SMark Murray# To disable tunneled clear text passwords, change to no here!
61af12a3e7SDag-Erling Smørgrav#PasswordAuthentication yes
62af12a3e7SDag-Erling Smørgrav#PermitEmptyPasswords no
63ca3176e7SBrian Feldman
6453282320SDag-Erling Smørgrav# Change to no to disable PAM authentication
6580241871SDag-Erling Smørgrav#ChallengeResponseAuthentication yes
66511b41d2SMark Murray
67af12a3e7SDag-Erling Smørgrav# Kerberos options
6880628bacSDag-Erling Smørgrav#KerberosAuthentication no
69511b41d2SMark Murray#KerberosOrLocalPasswd yes
70af12a3e7SDag-Erling Smørgrav#KerberosTicketCleanup yes
71511b41d2SMark Murray
7280628bacSDag-Erling Smørgrav#AFSTokenPassing no
73511b41d2SMark Murray
74af12a3e7SDag-Erling Smørgrav# Kerberos TGT Passing only works with the AFS kaserver
75af12a3e7SDag-Erling Smørgrav#KerberosTgtPassing no
76af12a3e7SDag-Erling Smørgrav
771f334c7bSDag-Erling Smørgrav#X11Forwarding yes
78af12a3e7SDag-Erling Smørgrav#X11DisplayOffset 10
79af12a3e7SDag-Erling Smørgrav#X11UseLocalhost yes
80af12a3e7SDag-Erling Smørgrav#PrintMotd yes
81af12a3e7SDag-Erling Smørgrav#PrintLastLog yes
82af12a3e7SDag-Erling Smørgrav#KeepAlive yes
83511b41d2SMark Murray#UseLogin no
84989dd127SDag-Erling Smørgrav#UsePrivilegeSeparation yes
85f388f5efSDag-Erling Smørgrav#PermitUserEnvironment no
8680628bacSDag-Erling Smørgrav#Compression yes
87c2d3a559SKris Kennaway
88af12a3e7SDag-Erling Smørgrav#MaxStartups 10
89af12a3e7SDag-Erling Smørgrav# no default banner path
90af12a3e7SDag-Erling Smørgrav#Banner /some/path
91af12a3e7SDag-Erling Smørgrav#VerifyReverseMapping no
92ca3176e7SBrian Feldman
93af12a3e7SDag-Erling Smørgrav# override default of no subsystems
94ca3176e7SBrian FeldmanSubsystem	sftp	/usr/libexec/sftp-server
95