1# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ 2# $FreeBSD$ 3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 9# The strategy used for options in the default sshd_config shipped with 10# OpenSSH is to specify options with their default value where 11# possible, but leave them commented. Uncommented options override the 12# default value. 13 14# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15# FreeBSD has a few additional options. 16 17#Port 22 18#AddressFamily any 19#ListenAddress 0.0.0.0 20#ListenAddress :: 21 22# The default requires explicit activation of protocol 1 23#Protocol 2 24 25# HostKey for protocol version 1 26#HostKey /etc/ssh/ssh_host_key 27# HostKeys for protocol version 2 28#HostKey /etc/ssh/ssh_host_rsa_key 29#HostKey /etc/ssh/ssh_host_dsa_key 30#HostKey /etc/ssh/ssh_host_ecdsa_key 31#HostKey /etc/ssh/ssh_host_ed25519_key 32 33# Lifetime and size of ephemeral version 1 server key 34#KeyRegenerationInterval 1h 35#ServerKeyBits 1024 36 37# Ciphers and keying 38#RekeyLimit default none 39 40# Logging 41# obsoletes QuietMode and FascistLogging 42#SyslogFacility AUTH 43#LogLevel INFO 44 45# Authentication: 46 47#LoginGraceTime 2m 48#PermitRootLogin no 49#StrictModes yes 50#MaxAuthTries 6 51#MaxSessions 10 52 53#RSAAuthentication yes 54#PubkeyAuthentication yes 55 56# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 57#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 58 59#AuthorizedPrincipalsFile none 60 61#AuthorizedKeysCommand none 62#AuthorizedKeysCommandUser nobody 63 64# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 65#RhostsRSAAuthentication no 66# similar for protocol version 2 67#HostbasedAuthentication no 68# Change to yes if you don't trust ~/.ssh/known_hosts for 69# RhostsRSAAuthentication and HostbasedAuthentication 70#IgnoreUserKnownHosts no 71# Don't read the user's ~/.rhosts and ~/.shosts files 72#IgnoreRhosts yes 73 74# Change to yes to enable built-in password authentication. 75#PasswordAuthentication no 76#PermitEmptyPasswords no 77 78# Change to no to disable PAM authentication 79#ChallengeResponseAuthentication yes 80 81# Kerberos options 82#KerberosAuthentication no 83#KerberosOrLocalPasswd yes 84#KerberosTicketCleanup yes 85#KerberosGetAFSToken no 86 87# GSSAPI options 88#GSSAPIAuthentication no 89#GSSAPICleanupCredentials yes 90 91# Set this to 'no' to disable PAM authentication, account processing, 92# and session processing. If this is enabled, PAM authentication will 93# be allowed through the ChallengeResponseAuthentication and 94# PasswordAuthentication. Depending on your PAM configuration, 95# PAM authentication via ChallengeResponseAuthentication may bypass 96# the setting of "PermitRootLogin without-password". 97# If you just want the PAM account and session checks to run without 98# PAM authentication, then enable this but set PasswordAuthentication 99# and ChallengeResponseAuthentication to 'no'. 100#UsePAM yes 101 102#AllowAgentForwarding yes 103#AllowTcpForwarding yes 104#GatewayPorts no 105#X11Forwarding yes 106#X11DisplayOffset 10 107#X11UseLocalhost yes 108#PermitTTY yes 109#PrintMotd yes 110#PrintLastLog yes 111#TCPKeepAlive yes 112#UseLogin no 113#UsePrivilegeSeparation sandbox 114#PermitUserEnvironment no 115#Compression delayed 116#ClientAliveInterval 0 117#ClientAliveCountMax 3 118#UseDNS yes 119#PidFile /var/run/sshd.pid 120#MaxStartups 10:30:100 121#PermitTunnel no 122#ChrootDirectory none 123#UseBlacklist no 124#VersionAddendum FreeBSD-20161230 125 126# no default banner path 127#Banner none 128 129# override default of no subsystems 130Subsystem sftp /usr/libexec/sftp-server 131 132# Example of overriding settings on a per-user basis 133#Match User anoncvs 134# X11Forwarding no 135# AllowTcpForwarding no 136# PermitTTY no 137# ForceCommand cvs server 138