xref: /freebsd/crypto/openssh/sshd_config (revision ca86bcf2531c7b149c95244a67853d44323e7855)
1#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
2#	$FreeBSD$
3
4# This is the sshd server system-wide configuration file.  See
5# sshd_config(5) for more information.
6
7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8
9# The strategy used for options in the default sshd_config shipped with
10# OpenSSH is to specify options with their default value where
11# possible, but leave them commented.  Uncommented options override the
12# default value.
13
14# Note that some of FreeBSD's defaults differ from OpenBSD's, and
15# FreeBSD has a few additional options.
16
17#Port 22
18#AddressFamily any
19#ListenAddress 0.0.0.0
20#ListenAddress ::
21
22#HostKey /etc/ssh/ssh_host_rsa_key
23#HostKey /etc/ssh/ssh_host_dsa_key
24#HostKey /etc/ssh/ssh_host_ecdsa_key
25#HostKey /etc/ssh/ssh_host_ed25519_key
26
27# Ciphers and keying
28#RekeyLimit default none
29
30# Logging
31#SyslogFacility AUTH
32#LogLevel INFO
33
34# Authentication:
35
36#LoginGraceTime 2m
37#PermitRootLogin no
38#StrictModes yes
39#MaxAuthTries 6
40#MaxSessions 10
41
42#PubkeyAuthentication yes
43
44# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
45#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
46
47#AuthorizedPrincipalsFile none
48
49#AuthorizedKeysCommand none
50#AuthorizedKeysCommandUser nobody
51
52# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
53#HostbasedAuthentication no
54# Change to yes if you don't trust ~/.ssh/known_hosts for
55# HostbasedAuthentication
56#IgnoreUserKnownHosts no
57# Don't read the user's ~/.rhosts and ~/.shosts files
58#IgnoreRhosts yes
59
60# Change to yes to enable built-in password authentication.
61#PasswordAuthentication no
62#PermitEmptyPasswords no
63
64# Change to no to disable PAM authentication
65#ChallengeResponseAuthentication yes
66
67# Kerberos options
68#KerberosAuthentication no
69#KerberosOrLocalPasswd yes
70#KerberosTicketCleanup yes
71#KerberosGetAFSToken no
72
73# GSSAPI options
74#GSSAPIAuthentication no
75#GSSAPICleanupCredentials yes
76
77# Set this to 'no' to disable PAM authentication, account processing,
78# and session processing. If this is enabled, PAM authentication will
79# be allowed through the ChallengeResponseAuthentication and
80# PasswordAuthentication.  Depending on your PAM configuration,
81# PAM authentication via ChallengeResponseAuthentication may bypass
82# the setting of "PermitRootLogin without-password".
83# If you just want the PAM account and session checks to run without
84# PAM authentication, then enable this but set PasswordAuthentication
85# and ChallengeResponseAuthentication to 'no'.
86#UsePAM yes
87
88#AllowAgentForwarding yes
89#AllowTcpForwarding yes
90#GatewayPorts no
91#X11Forwarding yes
92#X11DisplayOffset 10
93#X11UseLocalhost yes
94#PermitTTY yes
95#PrintMotd yes
96#PrintLastLog yes
97#TCPKeepAlive yes
98#UsePrivilegeSeparation sandbox
99#PermitUserEnvironment no
100#Compression delayed
101#ClientAliveInterval 0
102#ClientAliveCountMax 3
103#UseDNS yes
104#PidFile /var/run/sshd.pid
105#MaxStartups 10:30:100
106#PermitTunnel no
107#ChrootDirectory none
108#UseBlacklist no
109#VersionAddendum FreeBSD-20170305
110
111# no default banner path
112#Banner none
113
114# override default of no subsystems
115Subsystem	sftp	/usr/libexec/sftp-server
116
117# Example of overriding settings on a per-user basis
118#Match User anoncvs
119#	X11Forwarding no
120#	AllowTcpForwarding no
121#	PermitTTY no
122#	ForceCommand cvs server
123