| 1 | # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
---|
| 2 | # $FreeBSD: releng/9.3/crypto/openssh/sshd_config 264693 2014-04-20 13:12:32Z des $
|
---|
| 3 |
|
---|
| 4 | # This is the sshd server system-wide configuration file. See
|
---|
| 5 | # sshd_config(5) for more information.
|
---|
| 6 |
|
---|
| 7 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
---|
| 8 |
|
---|
| 9 | # The strategy used for options in the default sshd_config shipped with
|
---|
| 10 | # OpenSSH is to specify options with their default value where
|
---|
| 11 | # possible, but leave them commented. Uncommented options override the
|
---|
| 12 | # default value.
|
---|
| 13 |
|
---|
| 14 | # Note that some of FreeBSD's defaults differ from OpenBSD's, and
|
---|
| 15 | # FreeBSD has a few additional options.
|
---|
| 16 |
|
---|
| 17 | Port 1022
|
---|
| 18 | #AddressFamily any
|
---|
| 19 | #ListenAddress 0.0.0.0
|
---|
| 20 | #ListenAddress ::
|
---|
| 21 | #ListenAddress 144.76.7.34
|
---|
| 22 | ListenAddress 2a01:4f8:190:8221::2
|
---|
| 23 |
|
---|
| 24 | # The default requires explicit activation of protocol 1
|
---|
| 25 | #Protocol 2
|
---|
| 26 |
|
---|
| 27 | # HostKey for protocol version 1
|
---|
| 28 | #HostKey /etc/ssh/ssh_host_key
|
---|
| 29 | # HostKeys for protocol version 2
|
---|
| 30 | #HostKey /etc/ssh/ssh_host_rsa_key
|
---|
| 31 | #HostKey /etc/ssh/ssh_host_dsa_key
|
---|
| 32 | #HostKey /etc/ssh/ssh_host_ecdsa_key
|
---|
| 33 | #HostKey /etc/ssh/ssh_host_ed25519_key
|
---|
| 34 |
|
---|
| 35 | # Lifetime and size of ephemeral version 1 server key
|
---|
| 36 | #KeyRegenerationInterval 1h
|
---|
| 37 | #ServerKeyBits 1024
|
---|
| 38 |
|
---|
| 39 | # Ciphers and keying
|
---|
| 40 | #RekeyLimit default none
|
---|
| 41 |
|
---|
| 42 | # Logging
|
---|
| 43 | # obsoletes QuietMode and FascistLogging
|
---|
| 44 | #SyslogFacility AUTH
|
---|
| 45 | #LogLevel INFO
|
---|
| 46 |
|
---|
| 47 | # Authentication:
|
---|
| 48 |
|
---|
| 49 | #LoginGraceTime 2m
|
---|
| 50 | #PermitRootLogin no
|
---|
| 51 | #StrictModes yes
|
---|
| 52 | #MaxAuthTries 6
|
---|
| 53 | #MaxSessions 10
|
---|
| 54 |
|
---|
| 55 | #RSAAuthentication yes
|
---|
| 56 | #PubkeyAuthentication yes
|
---|
| 57 |
|
---|
| 58 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
---|
| 59 | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
---|
| 60 |
|
---|
| 61 | #AuthorizedPrincipalsFile none
|
---|
| 62 |
|
---|
| 63 | #AuthorizedKeysCommand none
|
---|
| 64 | #AuthorizedKeysCommandUser nobody
|
---|
| 65 |
|
---|
| 66 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
---|
| 67 | #RhostsRSAAuthentication no
|
---|
| 68 | # similar for protocol version 2
|
---|
| 69 | #HostbasedAuthentication no
|
---|
| 70 | # Change to yes if you don't trust ~/.ssh/known_hosts for
|
---|
| 71 | # RhostsRSAAuthentication and HostbasedAuthentication
|
---|
| 72 | #IgnoreUserKnownHosts no
|
---|
| 73 | # Don't read the user's ~/.rhosts and ~/.shosts files
|
---|
| 74 | #IgnoreRhosts yes
|
---|
| 75 |
|
---|
| 76 | # Change to yes to enable built-in password authentication.
|
---|
| 77 | #PasswordAuthentication no
|
---|
| 78 | #PermitEmptyPasswords no
|
---|
| 79 |
|
---|
| 80 | # Change to no to disable PAM authentication
|
---|
| 81 | #ChallengeResponseAuthentication yes
|
---|
| 82 |
|
---|
| 83 | # Kerberos options
|
---|
| 84 | #KerberosAuthentication no
|
---|
| 85 | #KerberosOrLocalPasswd yes
|
---|
| 86 | #KerberosTicketCleanup yes
|
---|
| 87 | #KerberosGetAFSToken no
|
---|
| 88 |
|
---|
| 89 | # GSSAPI options
|
---|
| 90 | #GSSAPIAuthentication no
|
---|
| 91 | #GSSAPICleanupCredentials yes
|
---|
| 92 |
|
---|
| 93 | # Set this to 'no' to disable PAM authentication, account processing,
|
---|
| 94 | # and session processing. If this is enabled, PAM authentication will
|
---|
| 95 | # be allowed through the ChallengeResponseAuthentication and
|
---|
| 96 | # PasswordAuthentication. Depending on your PAM configuration,
|
---|
| 97 | # PAM authentication via ChallengeResponseAuthentication may bypass
|
---|
| 98 | # the setting of "PermitRootLogin without-password".
|
---|
| 99 | # If you just want the PAM account and session checks to run without
|
---|
| 100 | # PAM authentication, then enable this but set PasswordAuthentication
|
---|
| 101 | # and ChallengeResponseAuthentication to 'no'.
|
---|
| 102 | #UsePAM yes
|
---|
| 103 |
|
---|
| 104 | #AllowAgentForwarding yes
|
---|
| 105 | #AllowTcpForwarding yes
|
---|
| 106 | #GatewayPorts no
|
---|
| 107 | #X11Forwarding yes
|
---|
| 108 | #X11DisplayOffset 10
|
---|
| 109 | #X11UseLocalhost yes
|
---|
| 110 | #PermitTTY yes
|
---|
| 111 | #PrintMotd yes
|
---|
| 112 | #PrintLastLog yes
|
---|
| 113 | #TCPKeepAlive yes
|
---|
| 114 | #UseLogin no
|
---|
| 115 | #UsePrivilegeSeparation yes
|
---|
| 116 | #PermitUserEnvironment no
|
---|
| 117 | #Compression delayed
|
---|
| 118 | #ClientAliveInterval 0
|
---|
| 119 | #ClientAliveCountMax 3
|
---|
| 120 | #UseDNS yes
|
---|
| 121 | #PidFile /var/run/sshd.pid
|
---|
| 122 | #MaxStartups 10:30:100
|
---|
| 123 | #PermitTunnel no
|
---|
| 124 | #ChrootDirectory none
|
---|
| 125 | #VersionAddendum FreeBSD-20140420
|
---|
| 126 |
|
---|
| 127 | # no default banner path
|
---|
| 128 | #Banner none
|
---|
| 129 |
|
---|
| 130 | # override default of no subsystems
|
---|
| 131 | Subsystem sftp /usr/libexec/sftp-server
|
---|
| 132 |
|
---|
| 133 | # Disable HPN tuning improvements.
|
---|
| 134 | #HPNDisabled no
|
---|
| 135 |
|
---|
| 136 | # Buffer size for HPN to non-HPN connections.
|
---|
| 137 | #HPNBufferSize 2048
|
---|
| 138 |
|
---|
| 139 | # TCP receive socket buffer polling for HPN. Disable on non autotuning kernels.
|
---|
| 140 | #TcpRcvBufPoll yes
|
---|
| 141 |
|
---|
| 142 | # Allow the use of the NONE cipher.
|
---|
| 143 | #NoneEnabled no
|
---|
| 144 |
|
---|
| 145 | # Example of overriding settings on a per-user basis
|
---|
| 146 | #Match User anoncvs
|
---|
| 147 | # X11Forwarding no
|
---|
| 148 | # AllowTcpForwarding no
|
---|
| 149 | # PermitTTY no
|
---|
| 150 | # ForceCommand cvs server
|
---|
| 151 | PermitRootLogin yes
|
---|