sshd_config

1. # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options override the
11. # default value.
12.  
13. #Port 22
14. #AddressFamily any
15. #ListenAddress 0.0.0.0
16. #ListenAddress ::
17.  
18. #HostKey /etc/ssh/ssh_host_rsa_key
19. #HostKey /etc/ssh/ssh_host_ecdsa_key
20. #HostKey /etc/ssh/ssh_host_ed25519_key
21.  
22. # Ciphers and keying
23. #RekeyLimit default none
24.  
25. # Logging
26. #SyslogFacility AUTH
27. #LogLevel INFO
28.  
29. # Authentication:
30.  
31. #LoginGraceTime 2m
32. PermitRootLogin yes
33. #StrictModes yes
34. #MaxAuthTries 6
35. #MaxSessions 10
36.  
37. #PubkeyAuthentication yes
38.  
39. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
40. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
41.  
42. #AuthorizedPrincipalsFile none
43.  
44. #AuthorizedKeysCommand none
45. #AuthorizedKeysCommandUser nobody
46.  
47. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
48. #HostbasedAuthentication no
49. # Change to yes if you don't trust ~/.ssh/known_hosts for
50. # HostbasedAuthentication
51. #IgnoreUserKnownHosts no
52. # Don't read the user's ~/.rhosts and ~/.shosts files
53. #IgnoreRhosts yes
54.  
55. # To disable tunneled clear text passwords, change to no here!
56. #PasswordAuthentication yes
57. #PermitEmptyPasswords no
58.  
59. # Change to yes to enable challenge-response passwords (beware issues with
60. # some PAM modules and threads)
61. ChallengeResponseAuthentication no
62.  
63. # Kerberos options
64. #KerberosAuthentication no
65. #KerberosOrLocalPasswd yes
66. #KerberosTicketCleanup yes
67. #KerberosGetAFSToken no
68.  
69. # GSSAPI options
70. #GSSAPIAuthentication no
71. #GSSAPICleanupCredentials yes
72. #GSSAPIStrictAcceptorCheck yes
73. #GSSAPIKeyExchange no
74.  
75. # Set this to 'yes' to enable PAM authentication, account processing,
76. # and session processing. If this is enabled, PAM authentication will
77. # be allowed through the ChallengeResponseAuthentication and
78. # PasswordAuthentication. Depending on your PAM configuration,
79. # PAM authentication via ChallengeResponseAuthentication may bypass
80. # the setting of "PermitRootLogin without-password".
81. # If you just want the PAM account and session checks to run without
82. # PAM authentication, then enable this but set PasswordAuthentication
83. # and ChallengeResponseAuthentication to 'no'.
84. UsePAM yes
85.  
86. #AllowAgentForwarding yes
87. #AllowTcpForwarding yes
88. #GatewayPorts no
89. X11Forwarding yes
90. #X11DisplayOffset 10
91. #X11UseLocalhost yes
92. #PermitTTY yes
93. PrintMotd no
94. #PrintLastLog yes
95. #TCPKeepAlive yes
96. #PermitUserEnvironment no
97. #Compression delayed
98. #ClientAliveInterval 0
99. #ClientAliveCountMax 3
100. #UseDNS no
101. #PidFile /var/run/sshd.pid
102. #MaxStartups 10:30:100
103. #PermitTunnel no
104. #ChrootDirectory none
105. #VersionAddendum none
106.  
107. # no default banner path
108. #Banner none
109.  
110. # Allow client to pass locale environment variables
111. AcceptEnv LANG LC_*
112.  
113. # override default of no subsystems
114. Subsystem sftp /usr/lib/openssh/sftp-server
115.  
116. # Example of overriding settings on a per-user basis
117. #Match User anoncvs
118. # X11Forwarding no
119. # AllowTcpForwarding no
120. # PermitTTY no
121. # ForceCommand cvs server