1# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ 2# $FreeBSD$ 3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 9# The strategy used for options in the default sshd_config shipped with 10# OpenSSH is to specify options with their default value where 11# possible, but leave them commented. Uncommented options override the 12# default value. 13 14# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15# FreeBSD has a few additional options. 16 17#Port 22 18#AddressFamily any 19#ListenAddress 0.0.0.0 20#ListenAddress :: 21 22#HostKey /etc/ssh/ssh_host_rsa_key 23#HostKey /etc/ssh/ssh_host_dsa_key 24#HostKey /etc/ssh/ssh_host_ecdsa_key 25#HostKey /etc/ssh/ssh_host_ed25519_key 26 27# Ciphers and keying 28#RekeyLimit default none 29 30# Logging 31#SyslogFacility AUTH 32#LogLevel INFO 33 34# Authentication: 35 36#LoginGraceTime 2m 37#PermitRootLogin no 38#StrictModes yes 39#MaxAuthTries 6 40#MaxSessions 10 41 42#PubkeyAuthentication yes 43 44# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 45# but this is overridden so installations will only check .ssh/authorized_keys 46AuthorizedKeysFile .ssh/authorized_keys 47 48#AuthorizedPrincipalsFile none 49 50#AuthorizedKeysCommand none 51#AuthorizedKeysCommandUser nobody 52 53# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 54#HostbasedAuthentication no 55# Change to yes if you don't trust ~/.ssh/known_hosts for 56# HostbasedAuthentication 57#IgnoreUserKnownHosts no 58# Don't read the user's ~/.rhosts and ~/.shosts files 59#IgnoreRhosts yes 60 61# Change to yes to enable built-in password authentication. 62#PasswordAuthentication no 63#PermitEmptyPasswords no 64 65# Change to no to disable PAM authentication 66#ChallengeResponseAuthentication yes 67 68# Kerberos options 69#KerberosAuthentication no 70#KerberosOrLocalPasswd yes 71#KerberosTicketCleanup yes 72#KerberosGetAFSToken no 73 74# GSSAPI options 75#GSSAPIAuthentication no 76#GSSAPICleanupCredentials yes 77 78# Set this to 'no' to disable PAM authentication, account processing, 79# and session processing. If this is enabled, PAM authentication will 80# be allowed through the ChallengeResponseAuthentication and 81# PasswordAuthentication. Depending on your PAM configuration, 82# PAM authentication via ChallengeResponseAuthentication may bypass 83# the setting of "PermitRootLogin without-password". 84# If you just want the PAM account and session checks to run without 85# PAM authentication, then enable this but set PasswordAuthentication 86# and ChallengeResponseAuthentication to 'no'. 87#UsePAM yes 88 89#AllowAgentForwarding yes 90#AllowTcpForwarding yes 91#GatewayPorts no 92#X11Forwarding yes 93#X11DisplayOffset 10 94#X11UseLocalhost yes 95#PermitTTY yes 96#PrintMotd yes 97#PrintLastLog yes 98#TCPKeepAlive yes 99#PermitUserEnvironment no 100#Compression delayed 101#ClientAliveInterval 0 102#ClientAliveCountMax 3 103#UseDNS yes 104#PidFile /var/run/sshd.pid 105#MaxStartups 10:30:100 106#PermitTunnel no 107#ChrootDirectory none 108#UseBlacklist no 109#VersionAddendum FreeBSD-20170804 110 111# no default banner path 112#Banner none 113 114# override default of no subsystems 115Subsystem sftp /usr/libexec/sftp-server 116 117# Example of overriding settings on a per-user basis 118#Match User anoncvs 119# X11Forwarding no 120# AllowTcpForwarding no 121# PermitTTY no 122# ForceCommand cvs server 123