sshd_config

1. # $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options change a
11. # default value.
12.  
13. Port 22
14. AddressFamily any
15. ListenAddress 0.0.0.0
16. ListenAddress ::
17.  
18. # The default requires explicit activation of protocol 1
19. Protocol 2
20.  
21. # HostKey for protocol version 1
22. #HostKey /etc/ssh/ssh_host_key
23. # HostKeys for protocol version 2
24. #HostKey /etc/ssh/ssh_host_rsa_key
25. HostKey /etc/ssh/ssh_host_dsa_key
26. #HostKey /etc/ssh/ssh_host_ecdsa_key
27.  
28. # Lifetime and size of ephemeral version 1 server key
29. #KeyRegenerationInterval 1h
30. #ServerKeyBits 1024
31.  
32. # Logging
33. # obsoletes QuietMode and FascistLogging
34. SyslogFacility AUTH
35. LogLevel INFO
36.  
37. # Authentication:
38.  
39. #LoginGraceTime 2m
40. PermitRootLogin no
41. #StrictModes yes
42. #MaxAuthTries 6
43. #MaxSessions 10
44.  
45. RSAAuthentication no
46. PubkeyAuthentication yes
47. AuthorizedKeysFile .ssh/authorized_keys
48.  
49. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50. #RhostsRSAAuthentication no
51. # similar for protocol version 2
52. #HostbasedAuthentication no
53. # Change to yes if you don't trust ~/.ssh/known_hosts for
54. # RhostsRSAAuthentication and HostbasedAuthentication
55. #IgnoreUserKnownHosts no
56. # Don't read the user's ~/.rhosts and ~/.shosts files
57. #IgnoreRhosts yes
58.  
59. # To disable tunneled clear text passwords, change to no here!
60. PasswordAuthentication yes
61. PermitEmptyPasswords no
62.  
63. # Change to no to disable s/key passwords
64. ChallengeResponseAuthentication no
65.  
66. # Kerberos options
67. #KerberosAuthentication no
68. #KerberosOrLocalPasswd yes
69. #KerberosTicketCleanup yes
70. #KerberosGetAFSToken no
71.  
72. # GSSAPI options
73. #GSSAPIAuthentication no
74. #GSSAPICleanupCredentials yes
75.  
76. # Set this to 'yes' to enable PAM authentication, account processing,
77. # and session processing. If this is enabled, PAM authentication will
78. # be allowed through the ChallengeResponseAuthentication and
79. # PasswordAuthentication. Depending on your PAM configuration,
80. # PAM authentication via ChallengeResponseAuthentication may bypass
81. # the setting of "PermitRootLogin without-password".
82. # If you just want the PAM account and session checks to run without
83. # PAM authentication, then enable this but set PasswordAuthentication
84. # and ChallengeResponseAuthentication to 'no'.
85. UsePAM yes
86.  
87. AllowAgentForwarding yes
88. AllowTcpForwarding yes
89. GatewayPorts yes
90. #X11Forwarding no
91. #X11DisplayOffset 10
92. #X11UseLocalhost yes
93. PrintMotd yes
94. PrintLastLog yes
95. TCPKeepAlive yes
96. UseLogin no
97. #UsePrivilegeSeparation yes
98. #PermitUserEnvironment no
99. #Compression delayed
100. #ClientAliveInterval 0
101. #ClientAliveCountMax 3
102. UseDNS yes
103. #PidFile /var/run/sshd.pid
104. #MaxStartups 10
105. PermitTunnel yes
106. #ChrootDirectory none
107.  
108. # no default banner path
109. #Banner none
110.  
111. # override default of no subsystems
112. Subsystem sftp /usr/lib/ssh/sftp-server
113.  
114. # Example of overriding settings on a per-user basis
115. #Match User anoncvs
116. # X11Forwarding no
117. # AllowTcpForwarding no
118. # ForceCommand cvs server