1# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ 2 3# This is the sshd server system-wide configuration file. See 4# sshd_config(5) for more information. 5 6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 8# The strategy used for options in the default sshd_config shipped with 9# OpenSSH is to specify options with their default value where 10# possible, but leave them commented. Uncommented options override the 11# default value. 12 13#Port 22 14#AddressFamily any 15#ListenAddress 0.0.0.0 16#ListenAddress :: 17 18#HostKey /etc/ssh/ssh_host_rsa_key 19#HostKey /etc/ssh/ssh_host_ecdsa_key 20#HostKey /etc/ssh/ssh_host_ed25519_key 21 22# Ciphers and keying 23#RekeyLimit default none 24 25# Logging 26#SyslogFacility AUTH 27#LogLevel INFO 28 29# Authentication: 30 31#LoginGraceTime 2m 32#PermitRootLogin prohibit-password 33#StrictModes yes 34#MaxAuthTries 6 35#MaxSessions 10 36 37#PubkeyAuthentication yes 38 39# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 40# but this is overridden so installations will only check .ssh/authorized_keys 41AuthorizedKeysFile .ssh/authorized_keys 42 43#AuthorizedPrincipalsFile none 44 45#AuthorizedKeysCommand none 46#AuthorizedKeysCommandUser nobody 47 48# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49#HostbasedAuthentication no 50# Change to yes if you don't trust ~/.ssh/known_hosts for 51# HostbasedAuthentication 52#IgnoreUserKnownHosts no 53# Don't read the user's ~/.rhosts and ~/.shosts files 54#IgnoreRhosts yes 55 56# To disable tunneled clear text passwords, change to no here! 57#PasswordAuthentication yes 58#PermitEmptyPasswords no 59 60# Change to yes to enable challenge-response passwords (beware issues with 61# some PAM modules and threads) 62ChallengeResponseAuthentication no 63 64# Kerberos options 65#KerberosAuthentication no 66#KerberosOrLocalPasswd yes 67#KerberosTicketCleanup yes 68#KerberosGetAFSToken no 69 70# GSSAPI options 71#GSSAPIAuthentication no 72#GSSAPICleanupCredentials yes 73 74# Set this to 'yes' to enable PAM authentication, account processing, 75# and session processing. If this is enabled, PAM authentication will 76# be allowed through the ChallengeResponseAuthentication and 77# PasswordAuthentication. Depending on your PAM configuration, 78# PAM authentication via ChallengeResponseAuthentication may bypass 79# the setting of "PermitRootLogin without-password". 80# If you just want the PAM account and session checks to run without 81# PAM authentication, then enable this but set PasswordAuthentication 82# and ChallengeResponseAuthentication to 'no'. 83#UsePAM no 84 85#AllowAgentForwarding yes 86#AllowTcpForwarding yes 87#GatewayPorts no 88#X11Forwarding no 89#X11DisplayOffset 10 90#X11UseLocalhost yes 91#PermitTTY yes 92#PrintMotd yes 93#PrintLastLog yes 94#TCPKeepAlive yes 95#UseLogin no 96#PermitUserEnvironment no 97Compression no 98ClientAliveInterval 15 99ClientAliveCountMax 4 100#UseDNS no 101#PidFile /var/run/sshd.pid 102#MaxStartups 10:30:100 103#PermitTunnel no 104#ChrootDirectory none 105#VersionAddendum none 106 107# no default banner path 108#Banner none 109 110# override default of no subsystems 111Subsystem sftp /usr/libexec/sftp-server 112 113# Example of overriding settings on a per-user basis 114#Match User anoncvs 115# X11Forwarding no 116# AllowTcpForwarding no 117# PermitTTY no 118# ForceCommand cvs server 119