# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $# This is t

1. # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options change a
11. # default value.
12.  
13. #Port 22
14. #Protocol 2,1
15. Protocol 2
16. #AddressFamily any
17. #ListenAddress 0.0.0.0
18. #ListenAddress ::
19.  
20. # HostKey for protocol version 1
21. #HostKey /etc/ssh/ssh_host_key
22. # HostKeys for protocol version 2
23. #HostKey /etc/ssh/ssh_host_rsa_key
24. #HostKey /etc/ssh/ssh_host_dsa_key
25.  
26. # Lifetime and size of ephemeral version 1 server key
27. #KeyRegenerationInterval 1h
28. #ServerKeyBits 768
29.  
30. # Logging
31. # obsoletes QuietMode and FascistLogging
32. #SyslogFacility AUTH
33. SyslogFacility AUTHPRIV
34. #LogLevel INFO
35.  
36. # Authentication:
37.  
38. #LoginGraceTime 2m
39. #PermitRootLogin yes
40. #StrictModes yes
41. #MaxAuthTries 6
42.  
43. #RSAAuthentication yes
44. #PubkeyAuthentication yes
45. #AuthorizedKeysFile .ssh/authorized_keys
46.  
47. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
48. #RhostsRSAAuthentication no
49. # similar for protocol version 2
50. #HostbasedAuthentication no
51. # Change to yes if you don't trust ~/.ssh/known_hosts for
52. # RhostsRSAAuthentication and HostbasedAuthentication
53. #IgnoreUserKnownHosts no
54. # Don't read the user's ~/.rhosts and ~/.shosts files
55. #IgnoreRhosts yes
56.  
57. # To disable tunneled clear text passwords, change to no here!
58. #PasswordAuthentication yes
59. #PermitEmptyPasswords no
60. PasswordAuthentication yes
61.  
62. # Change to no to disable s/key passwords
63. #ChallengeResponseAuthentication yes
64. ChallengeResponseAuthentication no
65.  
66. # Kerberos options
67. #KerberosAuthentication no
68. #KerberosOrLocalPasswd yes
69. #KerberosTicketCleanup yes
70. #KerberosGetAFSToken no
71.  
72. # GSSAPI options
73. #GSSAPIAuthentication no
74. GSSAPIAuthentication yes
75. #GSSAPICleanupCredentials yes
76. GSSAPICleanupCredentials yes
77.  
78. # Set this to 'yes' to enable PAM authentication, account processing,
79. # and session processing. If this is enabled, PAM authentication will
80. # be allowed through the ChallengeResponseAuthentication mechanism.
81. # Depending on your PAM configuration, this may bypass the setting of
82. # PasswordAuthentication, PermitEmptyPasswords, and
83. # "PermitRootLogin without-password". If you just want the PAM account and
84. # session checks to run without PAM authentication, then enable this but set
85. # ChallengeResponseAuthentication=no
86. #UsePAM no
87. UsePAM yes
88.  
89. # Accept locale-related environment variables
90. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
91. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
92. AcceptEnv LC_IDENTIFICATION LC_ALL
93. #AllowTcpForwarding yes
94. #GatewayPorts no
95. #X11Forwarding no
96. X11Forwarding no
97. #X11DisplayOffset 10
98. #X11UseLocalhost yes
99. #PrintMotd yes
100. #PrintLastLog yes
101. #TCPKeepAlive yes
102. #UseLogin no
103. #UsePrivilegeSeparation yes
104. #PermitUserEnvironment no
105. #Compression delayed
106. #ClientAliveInterval 0
107. #ClientAliveCountMax 3
108. #ShowPatchLevel no
109. #UseDNS yes
110. #PidFile /var/run/sshd.pid
111. #MaxStartups 10
112. #PermitTunnel no
113.  
114. # no default banner path
115. #Banner /some/path
116.  
117. # override default of no subsystems
118. Subsystem sftp /usr/libexec/openssh/sftp-server