# OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $# This is the ssh

1. # OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options override the
11. # default value.
12.  
13. # If you want to change the port on a SELinux system, you have to tell
14. # SELinux about this change.
15. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
16. #
17. #Port 22
18. #AddressFamily any
19. #ListenAddress 0.0.0.0
20. #ListenAddress ::
21.  
22. # The default requires explicit activation of protocol 1
23. #Protocol 2
24.  
25. # HostKey for protocol version 1
26. #HostKey /etc/ssh/ssh_host_key
27. # HostKeys for protocol version 2
28. HostKey /etc/ssh/ssh_host_rsa_key
29. #HostKey /etc/ssh/ssh_host_dsa_key
30. HostKey /etc/ssh/ssh_host_ecdsa_key
31. HostKey /etc/ssh/ssh_host_ed25519_key
32.  
33. # Lifetime and size of ephemeral version 1 server key
34. #KeyRegenerationInterval 1h
35. #ServerKeyBits 1024
36.  
37. # Ciphers and keying
38. #RekeyLimit default none
39.  
40. # Logging
41. # obsoletes QuietMode and FascistLogging
42. #SyslogFacility AUTH
43. SyslogFacility AUTHPRIV
44. #LogLevel INFO
45.  
46. # Authentication:
47.  
48. #LoginGraceTime 2m
49. PermitRootLogin yes
50. #StrictModes yes
51. #MaxAuthTries 6
52. #MaxSessions 10
53.  
54. RSAAuthentication yes
55. PubkeyAuthentication yes
56.  
57. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
58. # but this is overridden so installations will only check .ssh/authorized_keys
59. AuthorizedKeysFile .ssh/authorized_keys
60.  
61. #AuthorizedPrincipalsFile none
62.  
63. #AuthorizedKeysCommand none
64. #AuthorizedKeysCommandUser nobody
65.  
66. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
67. #RhostsRSAAuthentication no
68. # similar for protocol version 2
69. #HostbasedAuthentication no
70. # Change to yes if you don't trust ~/.ssh/known_hosts for
71. # RhostsRSAAuthentication and HostbasedAuthentication
72. #IgnoreUserKnownHosts no
73. # Don't read the user's ~/.rhosts and ~/.shosts files
74. #IgnoreRhosts yes
75.  
76. # To disable tunneled clear text passwords, change to no here!
77. #PasswordAuthentication yes
78. PermitEmptyPasswords no
79. PasswordAuthentication yes
80.  
81. # Change to no to disable s/key passwords
82. #ChallengeResponseAuthentication yes
83. ChallengeResponseAuthentication no
84.  
85. # Kerberos options
86. #KerberosAuthentication no
87. #KerberosOrLocalPasswd yes
88. #KerberosTicketCleanup yes
89. #KerberosGetAFSToken no
90. #KerberosUseKuserok yes
91.  
92. # GSSAPI options
93. GSSAPIAuthentication yes
94. GSSAPICleanupCredentials no
95. #GSSAPIStrictAcceptorCheck yes
96. #GSSAPIKeyExchange no
97. #GSSAPIEnablek5users no
98.  
99. # Set this to 'yes' to enable PAM authentication, account processing,
100. # and session processing. If this is enabled, PAM authentication will
101. # be allowed through the ChallengeResponseAuthentication and
102. # PasswordAuthentication. Depending on your PAM configuration,
103. # PAM authentication via ChallengeResponseAuthentication may bypass
104. # the setting of "PermitRootLogin without-password".
105. # If you just want the PAM account and session checks to run without
106. # PAM authentication, then enable this but set PasswordAuthentication
107. # and ChallengeResponseAuthentication to 'no'.
108. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
109. # problems.
110. UsePAM yes
111.  
112. #AllowAgentForwarding yes
113. #AllowTcpForwarding yes
114. #GatewayPorts no
115. X11Forwarding yes
116. #X11DisplayOffset 10
117. #X11UseLocalhost yes
118. #PermitTTY yes
119. #PrintMotd yes
120. #PrintLastLog yes
121. #TCPKeepAlive yes
122. #UseLogin no
123. UsePrivilegeSeparation sandbox # Default for new installations.
124. #PermitUserEnvironment no
125. #Compression delayed
126. #ClientAliveInterval 0
127. #ClientAliveCountMax 3
128. #ShowPatchLevel no
129. #UseDNS yes
130. #PidFile /var/run/sshd.pid
131. #MaxStartups 10:30:100
132. #PermitTunnel no
133. #ChrootDirectory none
134. #VersionAddendum none
135.  
136. # no default banner path
137. #Banner none
138.  
139. # Accept locale-related environment variables
140. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
141. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
142. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
143. AcceptEnv XMODIFIERS
144.  
145. # override default of no subsystems
146. #Subsystem sftp /usr/libexec/openssh/sftp-server
147. Subsystem sftp internal-sftp
148.  
149. # Example of overriding settings on a per-user basis
150. #Match User anoncvs
151. # X11Forwarding no
152. # AllowTcpForwarding no
153. # PermitTTY no
154. # ForceCommand cvs server
155.  
156. Match User ouiuser
157. ForceCommand internal-sftp
158. ChrootDirectory /home/ouiuser/