1# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 2# $FreeBSD$ 3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 9# The strategy used for options in the default sshd_config shipped with 10# OpenSSH is to specify options with their default value where 11# possible, but leave them commented. Uncommented options override the 12# default value. 13 14# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15# FreeBSD has a few additional options. 16 17#Port 22 18#AddressFamily any 19#ListenAddress 0.0.0.0 20#ListenAddress :: 21 22#HostKey /etc/ssh/ssh_host_rsa_key 23#HostKey /etc/ssh/ssh_host_ecdsa_key 24#HostKey /etc/ssh/ssh_host_ed25519_key 25 26# Ciphers and keying 27#RekeyLimit default none 28 29# Logging 30#SyslogFacility AUTH 31#LogLevel INFO 32 33# Authentication: 34 35#LoginGraceTime 2m 36#PermitRootLogin no 37#StrictModes yes 38#MaxAuthTries 6 39#MaxSessions 10 40 41#PubkeyAuthentication yes 42 43# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 44# but this is overridden so installations will only check .ssh/authorized_keys 45AuthorizedKeysFile .ssh/authorized_keys 46 47#AuthorizedPrincipalsFile none 48 49#AuthorizedKeysCommand none 50#AuthorizedKeysCommandUser nobody 51 52# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 53#HostbasedAuthentication no 54# Change to yes if you don't trust ~/.ssh/known_hosts for 55# HostbasedAuthentication 56#IgnoreUserKnownHosts no 57# Don't read the user's ~/.rhosts and ~/.shosts files 58#IgnoreRhosts yes 59 60# Change to yes to enable built-in password authentication. 61#PasswordAuthentication no 62#PermitEmptyPasswords no 63 64# Change to no to disable PAM authentication 65#ChallengeResponseAuthentication yes 66 67# Kerberos options 68#KerberosAuthentication no 69#KerberosOrLocalPasswd yes 70#KerberosTicketCleanup yes 71#KerberosGetAFSToken no 72 73# GSSAPI options 74#GSSAPIAuthentication no 75#GSSAPICleanupCredentials yes 76 77# Set this to 'no' to disable PAM authentication, account processing, 78# and session processing. If this is enabled, PAM authentication will 79# be allowed through the ChallengeResponseAuthentication and 80# PasswordAuthentication. Depending on your PAM configuration, 81# PAM authentication via ChallengeResponseAuthentication may bypass 82# the setting of "PermitRootLogin without-password". 83# If you just want the PAM account and session checks to run without 84# PAM authentication, then enable this but set PasswordAuthentication 85# and ChallengeResponseAuthentication to 'no'. 86#UsePAM yes 87 88#AllowAgentForwarding yes 89#AllowTcpForwarding yes 90#GatewayPorts no 91#X11Forwarding yes 92#X11DisplayOffset 10 93#X11UseLocalhost yes 94#PermitTTY yes 95#PrintMotd yes 96#PrintLastLog yes 97#TCPKeepAlive yes 98#PermitUserEnvironment no 99#Compression delayed 100#ClientAliveInterval 0 101#ClientAliveCountMax 3 102#UseDNS yes 103#PidFile /var/run/sshd.pid 104#MaxStartups 10:30:100 105#PermitTunnel no 106#ChrootDirectory none 107#UseBlacklist no 108#VersionAddendum FreeBSD-20180909 109 110# no default banner path 111#Banner none 112 113# override default of no subsystems 114Subsystem sftp /usr/libexec/sftp-server 115 116# Example of overriding settings on a per-user basis 117#Match User anoncvs 118# X11Forwarding no 119# AllowTcpForwarding no 120# PermitTTY no 121# ForceCommand cvs server 122