1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 2# $FreeBSD$ 3 4# This is the sshd server system-wide configuration file. See 5# sshd_config(5) for more information. 6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 9# The strategy used for options in the default sshd_config shipped with 10# OpenSSH is to specify options with their default value where 11# possible, but leave them commented. Uncommented options override the 12# default value. 13 14# Note that some of FreeBSD's defaults differ from OpenBSD's, and 15# FreeBSD has a few additional options. 16 17#Port 22 18#AddressFamily any 19#ListenAddress 0.0.0.0 20#ListenAddress :: 21 22# The default requires explicit activation of protocol 1 23#Protocol 2 24 25# HostKey for protocol version 1 26#HostKey /etc/ssh/ssh_host_key 27# HostKeys for protocol version 2 28#HostKey /etc/ssh/ssh_host_rsa_key 29#HostKey /etc/ssh/ssh_host_dsa_key 30#HostKey /etc/ssh/ssh_host_ecdsa_key 31 32# Lifetime and size of ephemeral version 1 server key 33#KeyRegenerationInterval 1h 34#ServerKeyBits 1024 35 36# Logging 37# obsoletes QuietMode and FascistLogging 38#SyslogFacility AUTH 39#LogLevel INFO 40 41# Authentication: 42 43#LoginGraceTime 2m 44#PermitRootLogin no 45#StrictModes yes 46#MaxAuthTries 6 47#MaxSessions 10 48 49#RSAAuthentication yes 50#PubkeyAuthentication yes 51 52# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 53#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 54 55#AuthorizedPrincipalsFile none 56 57#AuthorizedKeysCommand none 58#AuthorizedKeysCommandUser nobody 59 60# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 61#RhostsRSAAuthentication no 62# similar for protocol version 2 63#HostbasedAuthentication no 64# Change to yes if you don't trust ~/.ssh/known_hosts for 65# RhostsRSAAuthentication and HostbasedAuthentication 66#IgnoreUserKnownHosts no 67# Don't read the user's ~/.rhosts and ~/.shosts files 68#IgnoreRhosts yes 69 70# Change to yes to enable built-in password authentication. 71#PasswordAuthentication no 72#PermitEmptyPasswords no 73 74# Change to no to disable PAM authentication 75#ChallengeResponseAuthentication yes 76 77# Kerberos options 78#KerberosAuthentication no 79#KerberosOrLocalPasswd yes 80#KerberosTicketCleanup yes 81#KerberosGetAFSToken no 82 83# GSSAPI options 84#GSSAPIAuthentication no 85#GSSAPICleanupCredentials yes 86 87# Set this to 'no' to disable PAM authentication, account processing, 88# and session processing. If this is enabled, PAM authentication will 89# be allowed through the ChallengeResponseAuthentication and 90# PasswordAuthentication. Depending on your PAM configuration, 91# PAM authentication via ChallengeResponseAuthentication may bypass 92# the setting of "PermitRootLogin without-password". 93# If you just want the PAM account and session checks to run without 94# PAM authentication, then enable this but set PasswordAuthentication 95# and ChallengeResponseAuthentication to 'no'. 96#UsePAM yes 97 98#AllowAgentForwarding yes 99#AllowTcpForwarding yes 100#GatewayPorts no 101#X11Forwarding yes 102#X11DisplayOffset 10 103#X11UseLocalhost yes 104#PrintMotd yes 105#PrintLastLog yes 106#TCPKeepAlive yes 107#UseLogin no 108#UsePrivilegeSeparation sandbox 109#PermitUserEnvironment no 110#Compression delayed 111#ClientAliveInterval 0 112#ClientAliveCountMax 3 113#UseDNS yes 114#PidFile /var/run/sshd.pid 115#MaxStartups 10:30:100 116#PermitTunnel no 117#ChrootDirectory none 118#VersionAddendum FreeBSD-20130322 119 120# no default banner path 121#Banner none 122 123# override default of no subsystems 124Subsystem sftp /usr/libexec/sftp-server 125 126# Disable HPN tuning improvements. 127#HPNDisabled no 128 129# Buffer size for HPN to non-HPN connections. 130#HPNBufferSize 2048 131 132# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. 133#TcpRcvBufPoll yes 134 135# Allow the use of the NONE cipher. 136#NoneEnabled no 137 138# Example of overriding settings on a per-user basis 139#Match User anoncvs 140# X11Forwarding no 141# AllowTcpForwarding no 142# ForceCommand cvs server 143