sshd_config

1. # This is the sshd server system-wide configuration file.  See
2. # sshd_config(5) for more information.
3.  
4. # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
5.  
6. # The strategy used for options in the default sshd_config shipped with
7. # OpenSSH is to specify options with their default value where
8. # possible, but leave them commented.  Uncommented options override the
9. # default value.
10.  
11. #Port 22
12. #AddressFamily any
13. #ListenAddress 0.0.0.0
14. #ListenAddress ::
15.  
16. #HostKey /etc/ssh/ssh_host_rsa_key
17. #HostKey /etc/ssh/ssh_host_ecdsa_key
18. #HostKey /etc/ssh/ssh_host_ed25519_key
19.  
20. # Ciphers and keying
21. #RekeyLimit default none
22.  
23. # Logging
24. #SyslogFacility AUTH
25. #LogLevel INFO
26.  
27. # Authentication:
28.  
29. RSAAuthentication yes
30. #LoginGraceTime 2m
31. #PermitRootLogin prohibit-password
32. #StrictModes yes
33. #MaxAuthTries 6
34. #MaxSessions 10
35.  
36. PubkeyAuthentication yes
37.  
38. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
39. # but this is overridden so installations will only check .ssh/authorized_keys
40. AuthorizedKeysFile      .ssh/authorized_keys
41.  
42. #AuthorizedPrincipalsFile none
43.  
44. #AuthorizedKeysCommand none
45. #AuthorizedKeysCommandUser nobody
46.  
47. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
48. #HostbasedAuthentication no
49. # Change to yes if you don't trust ~/.ssh/known_hosts for
50. # HostbasedAuthentication
51. #IgnoreUserKnownHosts no
52. # Don't read the user's ~/.rhosts and ~/.shosts files
53. #IgnoreRhosts yes
54.  
55. # To disable tunneled clear text passwords, change to no here!
56. PasswordAuthentication no
57. #PermitEmptyPasswords no
58.  
59. # Change to no to disable s/key passwords
60. KbdInteractiveAuthentication no
61.  
62. # Kerberos options
63. #KerberosAuthentication no
64. #KerberosOrLocalPasswd yes
65. #KerberosTicketCleanup yes
66. #KerberosGetAFSToken no
67.  
68. # GSSAPI options
69. #GSSAPIAuthentication no
70. #GSSAPICleanupCredentials yes
71.  
72. # Set this to 'yes' to enable PAM authentication, account processing,
73. # and session processing. If this is enabled, PAM authentication will
74. # be allowed through the KbdInteractiveAuthentication and
75. # PasswordAuthentication.  Depending on your PAM configuration,
76. # PAM authentication via KbdInteractiveAuthentication may bypass
77. # the setting of "PermitRootLogin without-password".
78. # If you just want the PAM account and session checks to run without
79. # PAM authentication, then enable this but set PasswordAuthentication
80. # and KbdInteractiveAuthentication to 'no'.
81. UsePAM yes
82.  
83. #AllowAgentForwarding yes
84. # Feel free to re-enable these if your use case requires them.
85. AllowTcpForwarding yes
86. GatewayPorts clientspecified
87. X11Forwarding no
88. #X11DisplayOffset 10
89. #X11UseLocalhost yes
90. #PermitTTY yes
91. #PrintMotd yes
92. #PrintLastLog yes
93. #TCPKeepAlive yes
94. #PermitUserEnvironment no
95. #Compression delayed
96. #ClientAliveInterval 0
97. #ClientAliveCountMax 3
98. #UseDNS no
99. PidFile /config/sshd.pid
100. #MaxStartups 10:30:100
101. #PermitTunnel no
102. #ChrootDirectory none
103. #VersionAddendum none
104.  
105. # no default banner path
106. #Banner none
107.  
108. # override default of no subsystems
109. Subsystem       sftp    /usr/lib/ssh/sftp-server -u 022
110.  
111. # Example of overriding settings on a per-user basis
112. #Match User anoncvs
113. #       X11Forwarding no
114. #       AllowTcpForwarding no
115. #       PermitTTY no
116. #       ForceCommand cvs server