#$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

1. #$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging SyslogFacility AUTH #LogLevel INFO # Authentication:
2.  
3. #LoginGraceTime 2m
4. #PermitRootLogin prohibit-password
5. #StrictModes yes
6. #MaxAuthTries 6
7. #MaxSessions 10
8.  
9. PubkeyAuthentication yes
10.  
11. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
12. # .ssh/authorized_keys2
13. AuthorizedKeysFile .ssh/authorized_keys
14.  
15. #AuthorizedPrincipalsFile none
16.  
17. #AuthorizedKeysCommand none
18. #AuthorizedKeysCommandUser nobody
19.  
20. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
21. #HostbasedAuthentication no
22. # Change to yes if you don't trust ~/.ssh/known_hosts for
23. # HostbasedAuthentication
24. #IgnoreUserKnownHosts no
25. # Don't read the user's ~/.rhosts and ~/.shosts files
26. #IgnoreRhosts yes
27.  
28. # To disable tunneled clear text passwords, change to no here!
29. PasswordAuthentication yes
30. #PermitEmptyPasswords no
31.  
32. # Change to yes to enable challenge-response passwords (beware issues with
33. # some PAM modules and threads)
34. ChallengeResponseAuthentication no
35.  
36. # Kerberos options
37. #KerberosAuthentication no
38. #KerberosOrLocalPasswd yes
39. #KerberosTicketCleanup yes
40. #KerberosGetAFSToken no
41.  
42. # GSSAPI options
43. #GSSAPIAuthentication no
44. #GSSAPICleanupCredentials yes
45. #GSSAPIStrictAcceptorCheck yes
46. #GSSAPIKeyExchange no
47.  
48. # Set this to 'yes' to enable PAM authentication, account processing,
49. # and session processing. If this is enabled, PAM authentication will
50. # be allowed through the ChallengeResponseAuthentication and
51. # PasswordAuthentication. Depending on your PAM configuration,
52. # PAM authentication via ChallengeResponseAuthentication may bypass
53. # the setting of "PermitRootLogin without-password".
54. # If you just want the PAM account and session checks to run without
55. # PAM authentication, then enable this but set PasswordAuthentication
56. # and ChallengeResponseAuthentication to 'no'.
57. UsePAM yes
58.  
59. #AllowAgentForwarding yes
60. #AllowTcpForwarding yes
61. #GatewayPorts no
62. X11Forwarding yes
63. #X11DisplayOffset 10
64. #X11UseLocalhost yes
65. #PermitTTY yes
66. #PrintMotd no
67. #PrintLastLog yes
68. #TCPKeepAlive yes
69. #PermitUserEnvironment no
70. #Compression delayed
71. #ClientAliveInterval 0
72. #ClientAliveCountMax 3
73. #UseDNS no
74. #PidFile /var/run/sshd.pid
75. #MaxStartups 10:30:100
76. #PermitTunnel no
77. #ChrootDirectory none
78. #VersionAddendum none
79.  
80. # no default banner path
81. #Banner none
82.  
83. # Allow client to pass locale environment variables
84. AcceptEnv LANG LC_*
85.  
86. # override default of no subsystems
87. Subsystem powershell /etc/powershell/pwsh -sshs -NoLogo -NoProfile
88.  
89. # Example of overriding settings on a per-user basis
90. #Match User anoncvs
91. # X11Forwarding no
92. # AllowTcpForwarding no
93. # PermitTTY no
94. # ForceCommand cvs server