# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $# This is

1. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options override the
11. # default value.
12.  
13. Port 3217
14. #AddressFamily any
15. #ListenAddress 0.0.0.0
16. #ListenAddress ::
17.  
18. #HostKey /etc/ssh/ssh_host_rsa_key
19. #HostKey /etc/ssh/ssh_host_dsa_key
20. #HostKey /etc/ssh/ssh_host_ecdsa_key
21. #HostKey /etc/ssh/ssh_host_ed25519_key
22.  
23. # Ciphers and keying
24. #RekeyLimit default none
25.  
26. # Logging
27. #SyslogFacility AUTH
28. #LogLevel INFO
29.  
30. # Authentication:
31.  
32. #LoginGraceTime 2m
33. #PermitRootLogin prohibit-password
34. #StrictModes yes
35. #MaxAuthTries 6
36. #MaxSessions 10
37.  
38. #PubkeyAuthentication yes
39.  
40. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
41. # but this is overridden so installations will only check .ssh/authorized_keys
42. AuthorizedKeysFile .ssh/authorized_keys
43.  
44. #AuthorizedPrincipalsFile none
45.  
46. #AuthorizedKeysCommand none
47. #AuthorizedKeysCommandUser nobody
48.  
49. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50. #HostbasedAuthentication no
51. # Change to yes if you don't trust ~/.ssh/known_hosts for
52. # HostbasedAuthentication
53. #IgnoreUserKnownHosts no
54. # Don't read the user's ~/.rhosts and ~/.shosts files
55. #IgnoreRhosts yes
56.  
57. # To disable tunneled clear text passwords, change to no here!
58. #PasswordAuthentication yes
59. #PermitEmptyPasswords no
60.  
61. # Change to no to disable s/key passwords
62. ChallengeResponseAuthentication no
63.  
64. # Kerberos options
65. #KerberosAuthentication no
66. #KerberosOrLocalPasswd yes
67. #KerberosTicketCleanup yes
68. #KerberosGetAFSToken no
69.  
70. # GSSAPI options
71. #GSSAPIAuthentication no
72. #GSSAPICleanupCredentials yes
73.  
74. # Set this to 'yes' to enable PAM authentication, account processing,
75. # and session processing. If this is enabled, PAM authentication will
76. # be allowed through the ChallengeResponseAuthentication and
77. # PasswordAuthentication. Depending on your PAM configuration,
78. # PAM authentication via ChallengeResponseAuthentication may bypass
79. # the setting of "PermitRootLogin without-password".
80. # If you just want the PAM account and session checks to run without
81. # PAM authentication, then enable this but set PasswordAuthentication
82. # and ChallengeResponseAuthentication to 'no'.
83. UsePAM no
84.  
85. #AllowAgentForwarding yes
86. #AllowTcpForwarding yes
87. #GatewayPorts no
88. #X11Forwarding no
89. #X11DisplayOffset 10
90. #X11UseLocalhost yes
91. #PermitTTY yes
92. #PrintMotd no # pam does that
93. #PrintLastLog yes
94. TCPKeepAlive no
95. #UseLogin no
96. #PermitUserEnvironment no
97. #Compression delayed
98. ClientAliveInterval 30
99. ClientAliveCountMax 240
100. #UseDNS no
101. #PidFile /run/sshd.pid
102. #MaxStartups 10:30:100
103. #PermitTunnel no
104. #ChrootDirectory none
105. #VersionAddendum none
106.  
107. # no default banner path
108. #Banner none
109.  
110. # override default of no subsystems
111. Subsystem sftp /usr/lib/ssh/sftp-server
112.  
113. # Example of overriding settings on a per-user basis
114. Match User readonly
115. ChrootDirectory %h
116. ForceCommand internal-sftp
117. AllowTcpForwarding no
118. X11Forwarding no
119. # PasswordAuthentication no
120.  
121. #Match User anoncvs
122. # X11Forwarding no
123. # AllowTcpForwarding no
124. # PermitTTY no
125. # ForceCommand cvs server