# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $# This is

1. # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options override the
11. # default value.
12.  
13. Include /etc/ssh/sshd_config.d/*.conf
14.  
15. #Port 22
16. #AddressFamily any
17. #ListenAddress 0.0.0.0
18. #ListenAddress ::
19.  
20. #HostKey /etc/ssh/ssh_host_rsa_key
21. #HostKey /etc/ssh/ssh_host_ecdsa_key
22. #HostKey /etc/ssh/ssh_host_ed25519_key
23.  
24. # Ciphers and keying
25. #RekeyLimit default none
26.  
27. # Logging
28. #SyslogFacility AUTH
29. #LogLevel INFO
30.  
31. # Authentication:
32.  
33. #LoginGraceTime 2m
34. #PermitRootLogin prohibit-password
35. #StrictModes yes
36. #MaxAuthTries 6
37. #MaxSessions 10
38.  
39. #PubkeyAuthentication yes
40.  
41. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
42. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
43.  
44. #AuthorizedPrincipalsFile none
45.  
46. #AuthorizedKeysCommand none
47. #AuthorizedKeysCommandUser nobody
48.  
49. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50. #HostbasedAuthentication no
51. # Change to yes if you don't trust ~/.ssh/known_hosts for
52. # HostbasedAuthentication
53. #IgnoreUserKnownHosts no
54. # Don't read the user's ~/.rhosts and ~/.shosts files
55. #IgnoreRhosts yes
56.  
57. # To disable tunneled clear text passwords, change to no here!
58. PasswordAuthentication yes
59. #PermitEmptyPasswords no
60.  
61. # Change to yes to enable challenge-response passwords (beware issues with
62. # some PAM modules and threads)
63. ChallengeResponseAuthentication no
64.  
65. # Kerberos options
66. #KerberosAuthentication no
67. #KerberosOrLocalPasswd yes
68. #KerberosTicketCleanup yes
69. #KerberosGetAFSToken no
70.  
71. # GSSAPI options
72. #GSSAPIAuthentication no
73. #GSSAPICleanupCredentials yes
74. #GSSAPIStrictAcceptorCheck yes
75. #GSSAPIKeyExchange no
76.  
77. # Set this to 'yes' to enable PAM authentication, account processing,
78. # and session processing. If this is enabled, PAM authentication will
79. # be allowed through the ChallengeResponseAuthentication and
80. # PasswordAuthentication. Depending on your PAM configuration,
81. # PAM authentication via ChallengeResponseAuthentication may bypass
82. # the setting of "PermitRootLogin without-password".
83. # If you just want the PAM account and session checks to run without
84. # PAM authentication, then enable this but set PasswordAuthentication
85. # and ChallengeResponseAuthentication to 'no'.
86. UsePAM yes
87.  
88. #AllowAgentForwarding yes
89. #AllowTcpForwarding yes
90. #GatewayPorts no
91. X11Forwarding yes
92. #X11DisplayOffset 10
93. #X11UseLocalhost yes
94. #PermitTTY yes
95. PrintMotd no
96. #PrintLastLog yes
97. #TCPKeepAlive yes
98. #PermitUserEnvironment no
99. #Compression delayed
100. #ClientAliveInterval 0
101. #ClientAliveCountMax 3
102. #UseDNS no
103. #PidFile /var/run/sshd.pid
104. #MaxStartups 10:30:100
105. #PermitTunnel no
106. #ChrootDirectory none
107. #VersionAddendum none
108.  
109. # no default banner path
110. #Banner none
111.  
112. # Allow client to pass locale environment variables
113. AcceptEnv LANG LC_*
114.  
115. # override default of no subsystems
116. Subsystem sftp /usr/lib/openssh/sftp-server
117.  
118. # Example of overriding settings on a per-user basis
119. #Match User anoncvs
120. # X11Forwarding no
121. # AllowTcpForwarding no
122. # PermitTTY no
123. # ForceCommand cvs server