xref: /freebsd/crypto/openssh/sshd_config (revision 396c556d77189a5c474d35cec6f44a762e310b7d)
1#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
2#	$FreeBSD$
3
4# This is the sshd server system-wide configuration file.  See
5# sshd_config(5) for more information.
6
7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8
9# The strategy used for options in the default sshd_config shipped with
10# OpenSSH is to specify options with their default value where
11# possible, but leave them commented.  Uncommented options override the
12# default value.
13
14# Note that some of FreeBSD's defaults differ from OpenBSD's, and
15# FreeBSD has a few additional options.
16
17#Port 22
18#AddressFamily any
19#ListenAddress 0.0.0.0
20#ListenAddress ::
21
22#HostKey /etc/ssh/ssh_host_rsa_key
23#HostKey /etc/ssh/ssh_host_dsa_key
24#HostKey /etc/ssh/ssh_host_ecdsa_key
25#HostKey /etc/ssh/ssh_host_ed25519_key
26
27# Ciphers and keying
28#RekeyLimit default none
29
30# Logging
31#SyslogFacility AUTH
32#LogLevel INFO
33
34# Authentication:
35
36#LoginGraceTime 2m
37#PermitRootLogin no
38#StrictModes yes
39#MaxAuthTries 6
40#MaxSessions 10
41
42#PubkeyAuthentication yes
43
44# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
45# but this is overridden so installations will only check .ssh/authorized_keys
46AuthorizedKeysFile	.ssh/authorized_keys
47
48#AuthorizedPrincipalsFile none
49
50#AuthorizedKeysCommand none
51#AuthorizedKeysCommandUser nobody
52
53# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
54#HostbasedAuthentication no
55# Change to yes if you don't trust ~/.ssh/known_hosts for
56# HostbasedAuthentication
57#IgnoreUserKnownHosts no
58# Don't read the user's ~/.rhosts and ~/.shosts files
59#IgnoreRhosts yes
60
61# Change to yes to enable built-in password authentication.
62#PasswordAuthentication no
63#PermitEmptyPasswords no
64
65# Change to no to disable PAM authentication
66#ChallengeResponseAuthentication yes
67
68# Kerberos options
69#KerberosAuthentication no
70#KerberosOrLocalPasswd yes
71#KerberosTicketCleanup yes
72#KerberosGetAFSToken no
73
74# GSSAPI options
75#GSSAPIAuthentication no
76#GSSAPICleanupCredentials yes
77
78# Set this to 'no' to disable PAM authentication, account processing,
79# and session processing. If this is enabled, PAM authentication will
80# be allowed through the ChallengeResponseAuthentication and
81# PasswordAuthentication.  Depending on your PAM configuration,
82# PAM authentication via ChallengeResponseAuthentication may bypass
83# the setting of "PermitRootLogin without-password".
84# If you just want the PAM account and session checks to run without
85# PAM authentication, then enable this but set PasswordAuthentication
86# and ChallengeResponseAuthentication to 'no'.
87#UsePAM yes
88
89#AllowAgentForwarding yes
90#AllowTcpForwarding yes
91#GatewayPorts no
92#X11Forwarding yes
93#X11DisplayOffset 10
94#X11UseLocalhost yes
95#PermitTTY yes
96#PrintMotd yes
97#PrintLastLog yes
98#TCPKeepAlive yes
99#PermitUserEnvironment no
100#Compression delayed
101#ClientAliveInterval 0
102#ClientAliveCountMax 3
103#UseDNS yes
104#PidFile /var/run/sshd.pid
105#MaxStartups 10:30:100
106#PermitTunnel no
107#ChrootDirectory none
108#UseBlacklist no
109#VersionAddendum FreeBSD-20170804
110
111# no default banner path
112#Banner none
113
114# override default of no subsystems
115Subsystem	sftp	/usr/libexec/sftp-server
116
117# Example of overriding settings on a per-user basis
118#Match User anoncvs
119#	X11Forwarding no
120#	AllowTcpForwarding no
121#	PermitTTY no
122#	ForceCommand cvs server
123