xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-connectivity/openssh/openssh/sshd_config (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun#	$OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
2*4882a593Smuzhiyun
3*4882a593Smuzhiyun# This is the sshd server system-wide configuration file.  See
4*4882a593Smuzhiyun# sshd_config(5) for more information.
5*4882a593Smuzhiyun
6*4882a593Smuzhiyun# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7*4882a593Smuzhiyun
8*4882a593Smuzhiyun# The strategy used for options in the default sshd_config shipped with
9*4882a593Smuzhiyun# OpenSSH is to specify options with their default value where
10*4882a593Smuzhiyun# possible, but leave them commented.  Uncommented options override the
11*4882a593Smuzhiyun# default value.
12*4882a593Smuzhiyun
13*4882a593Smuzhiyun#Port 22
14*4882a593Smuzhiyun#AddressFamily any
15*4882a593Smuzhiyun#ListenAddress 0.0.0.0
16*4882a593Smuzhiyun#ListenAddress ::
17*4882a593Smuzhiyun
18*4882a593Smuzhiyun#HostKey /etc/ssh/ssh_host_rsa_key
19*4882a593Smuzhiyun#HostKey /etc/ssh/ssh_host_ecdsa_key
20*4882a593Smuzhiyun#HostKey /etc/ssh/ssh_host_ed25519_key
21*4882a593Smuzhiyun
22*4882a593Smuzhiyun# Ciphers and keying
23*4882a593Smuzhiyun#RekeyLimit default none
24*4882a593Smuzhiyun
25*4882a593Smuzhiyun# Logging
26*4882a593Smuzhiyun#SyslogFacility AUTH
27*4882a593Smuzhiyun#LogLevel INFO
28*4882a593Smuzhiyun
29*4882a593Smuzhiyun# Authentication:
30*4882a593Smuzhiyun
31*4882a593Smuzhiyun#LoginGraceTime 2m
32*4882a593Smuzhiyun#PermitRootLogin prohibit-password
33*4882a593Smuzhiyun#StrictModes yes
34*4882a593Smuzhiyun#MaxAuthTries 6
35*4882a593Smuzhiyun#MaxSessions 10
36*4882a593Smuzhiyun
37*4882a593Smuzhiyun#PubkeyAuthentication yes
38*4882a593Smuzhiyun
39*4882a593Smuzhiyun# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
40*4882a593Smuzhiyun# but this is overridden so installations will only check .ssh/authorized_keys
41*4882a593SmuzhiyunAuthorizedKeysFile	.ssh/authorized_keys
42*4882a593Smuzhiyun
43*4882a593Smuzhiyun#AuthorizedPrincipalsFile none
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun#AuthorizedKeysCommand none
46*4882a593Smuzhiyun#AuthorizedKeysCommandUser nobody
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
49*4882a593Smuzhiyun#HostbasedAuthentication no
50*4882a593Smuzhiyun# Change to yes if you don't trust ~/.ssh/known_hosts for
51*4882a593Smuzhiyun# HostbasedAuthentication
52*4882a593Smuzhiyun#IgnoreUserKnownHosts no
53*4882a593Smuzhiyun# Don't read the user's ~/.rhosts and ~/.shosts files
54*4882a593Smuzhiyun#IgnoreRhosts yes
55*4882a593Smuzhiyun
56*4882a593Smuzhiyun# To disable tunneled clear text passwords, change to no here!
57*4882a593Smuzhiyun#PasswordAuthentication yes
58*4882a593Smuzhiyun#PermitEmptyPasswords no
59*4882a593Smuzhiyun
60*4882a593Smuzhiyun# Change to yes to enable challenge-response passwords (beware issues with
61*4882a593Smuzhiyun# some PAM modules and threads)
62*4882a593SmuzhiyunChallengeResponseAuthentication no
63*4882a593Smuzhiyun
64*4882a593Smuzhiyun# Kerberos options
65*4882a593Smuzhiyun#KerberosAuthentication no
66*4882a593Smuzhiyun#KerberosOrLocalPasswd yes
67*4882a593Smuzhiyun#KerberosTicketCleanup yes
68*4882a593Smuzhiyun#KerberosGetAFSToken no
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun# GSSAPI options
71*4882a593Smuzhiyun#GSSAPIAuthentication no
72*4882a593Smuzhiyun#GSSAPICleanupCredentials yes
73*4882a593Smuzhiyun
74*4882a593Smuzhiyun# Set this to 'yes' to enable PAM authentication, account processing,
75*4882a593Smuzhiyun# and session processing. If this is enabled, PAM authentication will
76*4882a593Smuzhiyun# be allowed through the ChallengeResponseAuthentication and
77*4882a593Smuzhiyun# PasswordAuthentication.  Depending on your PAM configuration,
78*4882a593Smuzhiyun# PAM authentication via ChallengeResponseAuthentication may bypass
79*4882a593Smuzhiyun# the setting of "PermitRootLogin without-password".
80*4882a593Smuzhiyun# If you just want the PAM account and session checks to run without
81*4882a593Smuzhiyun# PAM authentication, then enable this but set PasswordAuthentication
82*4882a593Smuzhiyun# and ChallengeResponseAuthentication to 'no'.
83*4882a593Smuzhiyun#UsePAM no
84*4882a593Smuzhiyun
85*4882a593Smuzhiyun#AllowAgentForwarding yes
86*4882a593Smuzhiyun#AllowTcpForwarding yes
87*4882a593Smuzhiyun#GatewayPorts no
88*4882a593Smuzhiyun#X11Forwarding no
89*4882a593Smuzhiyun#X11DisplayOffset 10
90*4882a593Smuzhiyun#X11UseLocalhost yes
91*4882a593Smuzhiyun#PermitTTY yes
92*4882a593Smuzhiyun#PrintMotd yes
93*4882a593Smuzhiyun#PrintLastLog yes
94*4882a593Smuzhiyun#TCPKeepAlive yes
95*4882a593Smuzhiyun#UseLogin no
96*4882a593Smuzhiyun#PermitUserEnvironment no
97*4882a593SmuzhiyunCompression no
98*4882a593SmuzhiyunClientAliveInterval 15
99*4882a593SmuzhiyunClientAliveCountMax 4
100*4882a593Smuzhiyun#UseDNS no
101*4882a593Smuzhiyun#PidFile /var/run/sshd.pid
102*4882a593Smuzhiyun#MaxStartups 10:30:100
103*4882a593Smuzhiyun#PermitTunnel no
104*4882a593Smuzhiyun#ChrootDirectory none
105*4882a593Smuzhiyun#VersionAddendum none
106*4882a593Smuzhiyun
107*4882a593Smuzhiyun# no default banner path
108*4882a593Smuzhiyun#Banner none
109*4882a593Smuzhiyun
110*4882a593Smuzhiyun# override default of no subsystems
111*4882a593SmuzhiyunSubsystem	sftp	/usr/libexec/sftp-server
112*4882a593Smuzhiyun
113*4882a593Smuzhiyun# Example of overriding settings on a per-user basis
114*4882a593Smuzhiyun#Match User anoncvs
115*4882a593Smuzhiyun#	X11Forwarding no
116*4882a593Smuzhiyun#	AllowTcpForwarding no
117*4882a593Smuzhiyun#	PermitTTY no
118*4882a593Smuzhiyun#	ForceCommand cvs server
119