xref: /freebsd/crypto/openssh/sshd_config (revision 7aa383846770374466b1dcb2cefd71bde9acf463)
1#	$OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
2#	$FreeBSD$
3
4# This is the sshd server system-wide configuration file.  See
5# sshd_config(5) for more information.
6
7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8
9# The strategy used for options in the default sshd_config shipped with
10# OpenSSH is to specify options with their default value where
11# possible, but leave them commented.  Uncommented options change a
12# default value.
13
14# Note that some of FreeBSD's defaults differ from OpenBSD's, and
15# FreeBSD has a few additional options.
16
17#VersionAddendum FreeBSD-20100428
18
19#Port 22
20#AddressFamily any
21#ListenAddress 0.0.0.0
22#ListenAddress ::
23
24# The default requires explicit activation of protocol 1
25#Protocol 2
26
27# HostKey for protocol version 1
28#HostKey /etc/ssh/ssh_host_key
29# HostKeys for protocol version 2
30#HostKey /etc/ssh/ssh_host_rsa_key
31#HostKey /etc/ssh/ssh_host_dsa_key
32
33# Lifetime and size of ephemeral version 1 server key
34#KeyRegenerationInterval 1h
35#ServerKeyBits 1024
36
37# Logging
38# obsoletes QuietMode and FascistLogging
39#SyslogFacility AUTH
40#LogLevel INFO
41
42# Authentication:
43
44#LoginGraceTime 2m
45#PermitRootLogin no
46#StrictModes yes
47#MaxAuthTries 6
48#MaxSessions 10
49
50#RSAAuthentication yes
51#PubkeyAuthentication yes
52#AuthorizedKeysFile	.ssh/authorized_keys
53
54# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
55#RhostsRSAAuthentication no
56# similar for protocol version 2
57#HostbasedAuthentication no
58# Change to yes if you don't trust ~/.ssh/known_hosts for
59# RhostsRSAAuthentication and HostbasedAuthentication
60#IgnoreUserKnownHosts no
61# Don't read the user's ~/.rhosts and ~/.shosts files
62#IgnoreRhosts yes
63
64# Change to yes to enable built-in password authentication.
65#PasswordAuthentication no
66#PermitEmptyPasswords no
67
68# Change to no to disable PAM authentication
69#ChallengeResponseAuthentication yes
70
71# Kerberos options
72#KerberosAuthentication no
73#KerberosOrLocalPasswd yes
74#KerberosTicketCleanup yes
75#KerberosGetAFSToken no
76
77# GSSAPI options
78#GSSAPIAuthentication no
79#GSSAPICleanupCredentials yes
80
81# Set this to 'no' to disable PAM authentication, account processing,
82# and session processing. If this is enabled, PAM authentication will
83# be allowed through the ChallengeResponseAuthentication and
84# PasswordAuthentication.  Depending on your PAM configuration,
85# PAM authentication via ChallengeResponseAuthentication may bypass
86# the setting of "PermitRootLogin without-password".
87# If you just want the PAM account and session checks to run without
88# PAM authentication, then enable this but set PasswordAuthentication
89# and ChallengeResponseAuthentication to 'no'.
90#UsePAM yes
91
92#AllowAgentForwarding yes
93#AllowTcpForwarding yes
94#GatewayPorts no
95#X11Forwarding yes
96#X11DisplayOffset 10
97#X11UseLocalhost yes
98#PrintMotd yes
99#PrintLastLog yes
100#TCPKeepAlive yes
101#UseLogin no
102#UsePrivilegeSeparation yes
103#PermitUserEnvironment no
104#Compression delayed
105#ClientAliveInterval 0
106#ClientAliveCountMax 3
107#UseDNS yes
108#PidFile /var/run/sshd.pid
109#MaxStartups 10
110#PermitTunnel no
111#ChrootDirectory none
112
113# no default banner path
114#Banner none
115
116# override default of no subsystems
117Subsystem	sftp	/usr/libexec/sftp-server
118
119# Example of overriding settings on a per-user basis
120#Match User anoncvs
121#	X11Forwarding no
122#	AllowTcpForwarding no
123#	ForceCommand cvs server
124