sshd_config

1. # $OpenBSD$
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options change a
11. # default value.
12.  
13. Port 22
14. #AddressFamily any
15. #ListenAddress localhost:22
16. #ListenAddress 127.0.0.1:22
17. #ListenAddress dojonet:22
18. #ListenAddress 192.168.0.1:22
19. #ListenAddress pc-01:22
20. #ListenAddress 192.168.0.2:22
21. #ListenAddress pc-02:22
22. #ListenAddress 192.168.0.3:22
23.  
24.  
25. # The default requires explicit activation of protocol 1
26. Protocol 2
27.  
28. # HostKey for protocol version 1
29. #HostKey /etc/ssh/ssh_host_key
30. # HostKeys for protocol version 2
31. #HostKey /etc/ssh/ssh_host_rsa_key
32. #HostKey /etc/ssh/ssh_host_dsa_key
33. #HostKey /etc/ssh/ssh_host_ecdsa_key
34.  
35. # "key type names" for X.509 certificates with RSA key
36. # Note first defined is used in signature operations!
37. #X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
38. #X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
39.  
40. # "key type names" for X.509 certificates with DSA key
41. # Note first defined is used in signature operations!
42. #X509KeyAlgorithm x509v3-sign-dss,dss-asn1
43. #X509KeyAlgorithm x509v3-sign-dss,dss-raw
44.  
45. # The intended use for the X509 client certificate. Without this option
46. # no chain verification will be done. Currently accepted uses are case
47. # insensitive:
48. # - "sslclient", "SSL client", "SSL_client" or "client"
49. # - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
50. # - "skip" or ""(empty): don`t check purpose.
51. #AllowedCertPurpose sslclient
52.  
53. # Specifies whether self-issued(self-signed) X.509 certificate can be
54. # allowed only by entry in AutorizedKeysFile that contain matching
55. # public key or certificate blob.
56. #KeyAllowSelfIssued no
57.  
58. # Specifies whether CRL must present in store for all certificates in
59. # certificate chain with atribute "cRLDistributionPoints"
60. #MandatoryCRL no
61.  
62. # A file with multiple certificates of certificate signers
63. # in PEM format concatenated together.
64. #CACertificateFile /etc/ssh/ca/ca-bundle.crt
65.  
66. # A directory with certificates of certificate signers.
67. # The certificates should have name of the form: [HASH].[NUMBER]
68. # or have symbolic links to them of this form.
69. #CACertificatePath /etc/ssh/ca/crt
70.  
71. # A file with multiple CRL of certificate signers
72. # in PEM format concatenated together.
73. #CARevocationFile /etc/ssh/ca/ca-bundle.crl
74.  
75. # A directory with CRL of certificate signers.
76. # The CRL should have name of the form: [HASH].r[NUMBER]
77. # or have symbolic links to them of this form.
78. #CARevocationPath /etc/ssh/ca/crl
79.  
80. # LDAP protocol version.
81. # Example:
82. # CAldapVersion 2
83.  
84. # Note because of OpenSSH options parser limitation
85. # use %3D instead of = !
86. # LDAP initialization may require URL to be escaped, i.e.
87. # use %2C instead of ,(comma). Escaped URL don't depend from
88. # LDAP initialization method.
89. # Example:
90. # CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom
91.  
92. # SSH can use "Online Certificate Status Protocol"(OCSP)
93. # to validate certificate. Set VAType to
94. # - none : do not use OCSP to validate certificates;
95. # - ocspcert: validate only certificates that specify `OCSP
96. # Service Locator' URL;
97. # - ocspspec: use specified in the configuration 'OCSP Responder'
98. # to validate all certificates.
99. #VAType none
100.  
101. # Lifetime and size of ephemeral version 1 server key
102. #KeyRegenerationInterval 1h
103. #ServerKeyBits 1024
104.  
105. # Logging
106. # obsoletes QuietMode and FascistLogging
107. SyslogFacility AUTH
108. LogLevel INFO
109.  
110. # Authentication:
111.  
112. LoginGraceTime 30
113. PermitRootLogin no
114. #StrictModes yes
115. #MaxAuthTries 6
116. #MaxSessions 10
117.  
118. #RSAAuthentication yes
119. PubkeyAuthentication yes
120. #AuthorizedKeysFile .ssh/authorized_rsa_keys
121. AuthorizedKeysFile .ssh/authorized_dsa_keys
122.  
123. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
124. #RhostsRSAAuthentication no
125. # similar for protocol version 2
126. HostbasedAuthentication no
127. # Change to yes if you don't trust ~/.ssh/known_hosts for
128. # RhostsRSAAuthentication and HostbasedAuthentication
129. #IgnoreUserKnownHosts no
130. # Don't read the user's ~/.rhosts and ~/.shosts files
131. #IgnoreRhosts yes
132.  
133. # To disable tunneled clear text passwords, change to no here!
134. PasswordAuthentication no
135. PermitEmptyPasswords no
136.  
137. # Change to no to disable s/key passwords
138. ChallengeResponseAuthentication no
139.  
140. # Kerberos options
141. #KerberosAuthentication no
142. #KerberosOrLocalPasswd yes
143. #KerberosTicketCleanup yes
144. #KerberosGetAFSToken no
145.  
146. # GSSAPI options
147. #GSSAPIAuthentication no
148. #GSSAPICleanupCredentials yes
149.  
150. # Set this to 'yes' to enable PAM authentication, account processing,
151. # and session processing. If this is enabled, PAM authentication will
152. # be allowed through the ChallengeResponseAuthentication and
153. # PasswordAuthentication. Depending on your PAM configuration,
154. # PAM authentication via ChallengeResponseAuthentication may bypass
155. # the setting of "PermitRootLogin without-password".
156. # If you just want the PAM account and session checks to run without
157. # PAM authentication, then enable this but set PasswordAuthentication
158. # and ChallengeResponseAuthentication to 'no'.
159. UsePAM no
160.  
161. #AllowGroups wheel admin
162. #AllowUsers andre@pc-01 marcio@pc-02
163. #AllowAgentForwarding yes
164. #AllowTcpForwarding yes
165. #GatewayPorts no
166. #X11Forwarding no
167. #X11DisplayOffset 10
168. #X11UseLocalhost yes
169. PrintMotd no
170. PrintLastLog no
171. #TCPKeepAlive yes
172. #UseLogin no
173. #UsePrivilegeSeparation yes
174. #PermitUserEnvironment no
175. #Compression delayed
176. #ClientAliveInterval 0
177. #ClientAliveCountMax 3
178. #UseDNS yes
179. #PidFile /var/run/sshd.pid
180. #MaxStartups 10
181. #PermitTunnel no
182. #ChrootDirectory none
183.  
184. # no default banner path
185. #Banner none
186.  
187. # override default of no subsystems
188. Subsystem sftp /usr/lib/misc/sftp-server
189.  
190. # the following are HPN related configuration options
191. # tcp receive buffer polling. disable in non autotuning kernels
192. #TcpRcvBufPoll yes
193.  
194. # allow the use of the none cipher
195. #NoneEnabled no
196.  
197. # disable hpn performance boosts.
198. #HPNDisabled no
199.  
200. # buffer size for hpn to non-hpn connections
201. #HPNBufferSize 2048
202.  
203. # Example of overriding settings on a per-user basis
204. #Match User anoncvs
205. # X11Forwarding no
206. # AllowTcpForwarding no
207. # ForceCommand cvs server