| 1 |
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ |
|---|
| 2 |
|
|---|
| 3 |
# This is the sshd server system-wide configuration file. See |
|---|
| 4 |
# sshd_config(5) for more information. |
|---|
| 5 |
|
|---|
| 6 |
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
|---|
| 7 |
|
|---|
| 8 |
# The strategy used for options in the default sshd_config shipped with |
|---|
| 9 |
# OpenSSH is to specify options with their default value where |
|---|
| 10 |
# possible, but leave them commented. Uncommented options change a |
|---|
| 11 |
# default value. |
|---|
| 12 |
|
|---|
| 13 |
#Port 22 |
|---|
| 14 |
Protocol 2 |
|---|
| 15 |
#AddressFamily any |
|---|
| 16 |
#ListenAddress 0.0.0.0 |
|---|
| 17 |
#ListenAddress :: |
|---|
| 18 |
|
|---|
| 19 |
# HostKey for protocol version 1 |
|---|
| 20 |
#HostKey /etc/ssh_host_key |
|---|
| 21 |
# HostKeys for protocol version 2 |
|---|
| 22 |
#HostKey /etc/ssh_host_rsa_key |
|---|
| 23 |
#HostKey /etc/ssh_host_dsa_key |
|---|
| 24 |
|
|---|
| 25 |
# Lifetime and size of ephemeral version 1 server key |
|---|
| 26 |
#KeyRegenerationInterval 1h |
|---|
| 27 |
#ServerKeyBits 768 |
|---|
| 28 |
|
|---|
| 29 |
# Logging |
|---|
| 30 |
# obsoletes QuietMode and FascistLogging |
|---|
| 31 |
SyslogFacility AUTHPRIV |
|---|
| 32 |
#LogLevel INFO |
|---|
| 33 |
|
|---|
| 34 |
# Authentication: |
|---|
| 35 |
|
|---|
| 36 |
#LoginGraceTime 2m |
|---|
| 37 |
PermitRootLogin without-password |
|---|
| 38 |
#StrictModes yes |
|---|
| 39 |
#MaxAuthTries 6 |
|---|
| 40 |
|
|---|
| 41 |
#RSAAuthentication yes |
|---|
| 42 |
#PubkeyAuthentication yes |
|---|
| 43 |
#AuthorizedKeysFile .ssh/authorized_keys |
|---|
| 44 |
|
|---|
| 45 |
# For this to work you will also need host keys in /etc/ssh_known_hosts |
|---|
| 46 |
#RhostsRSAAuthentication no |
|---|
| 47 |
# similar for protocol version 2 |
|---|
| 48 |
#HostbasedAuthentication no |
|---|
| 49 |
# Change to yes if you don't trust ~/.ssh/known_hosts for |
|---|
| 50 |
# RhostsRSAAuthentication and HostbasedAuthentication |
|---|
| 51 |
#IgnoreUserKnownHosts no |
|---|
| 52 |
# Don't read the user's ~/.rhosts and ~/.shosts files |
|---|
| 53 |
#IgnoreRhosts yes |
|---|
| 54 |
|
|---|
| 55 |
# To disable tunneled clear text passwords, change to no here! Also, |
|---|
| 56 |
# remember to set the UsePAM setting to 'no'. |
|---|
| 57 |
#PasswordAuthentication yes |
|---|
| 58 |
#PermitEmptyPasswords no |
|---|
| 59 |
|
|---|
| 60 |
# SACL options |
|---|
| 61 |
#SACLSupport yes |
|---|
| 62 |
|
|---|
| 63 |
# Change to no to disable s/key passwords |
|---|
| 64 |
#ChallengeResponseAuthentication yes |
|---|
| 65 |
|
|---|
| 66 |
# Kerberos options |
|---|
| 67 |
#KerberosAuthentication no |
|---|
| 68 |
#KerberosOrLocalPasswd yes |
|---|
| 69 |
#KerberosTicketCleanup yes |
|---|
| 70 |
#KerberosGetAFSToken no |
|---|
| 71 |
|
|---|
| 72 |
# GSSAPI options |
|---|
| 73 |
GSSAPIAuthentication yes |
|---|
| 74 |
#GSSAPICleanupCredentials yes |
|---|
| 75 |
#GSSAPIStrictAcceptorCheck yes |
|---|
| 76 |
GSSAPIKeyExchange yes |
|---|
| 77 |
|
|---|
| 78 |
# Set this to 'yes' to enable PAM authentication, account processing, |
|---|
| 79 |
# and session processing. If this is enabled, PAM authentication will |
|---|
| 80 |
# be allowed through the ChallengeResponseAuthentication and |
|---|
| 81 |
# PasswordAuthentication. Depending on your PAM configuration, |
|---|
| 82 |
# PAM authentication via ChallengeResponseAuthentication may bypass |
|---|
| 83 |
# the setting of "PermitRootLogin without-password". |
|---|
| 84 |
# If you just want the PAM account and session checks to run without |
|---|
| 85 |
# PAM authentication, then enable this but set PasswordAuthentication |
|---|
| 86 |
# and ChallengeResponseAuthentication to 'no'. |
|---|
| 87 |
# Also, PAM will deny null passwords by default. If you need to allow |
|---|
| 88 |
# null passwords, add the " nullok" option to the end of the |
|---|
| 89 |
# securityserver.so line in /etc/pam.d/sshd. |
|---|
| 90 |
#UsePAM yes |
|---|
| 91 |
|
|---|
| 92 |
#AllowTcpForwarding yes |
|---|
| 93 |
#GatewayPorts no |
|---|
| 94 |
#X11Forwarding no |
|---|
| 95 |
#X11DisplayOffset 10 |
|---|
| 96 |
#X11UseLocalhost yes |
|---|
| 97 |
#PrintMotd yes |
|---|
| 98 |
#PrintLastLog yes |
|---|
| 99 |
#TCPKeepAlive yes |
|---|
| 100 |
#UseLogin no |
|---|
| 101 |
#UsePrivilegeSeparation yes |
|---|
| 102 |
#PermitUserEnvironment no |
|---|
| 103 |
#Compression delayed |
|---|
| 104 |
#ClientAliveInterval 0 |
|---|
| 105 |
#ClientAliveCountMax 3 |
|---|
| 106 |
#UseDNS yes |
|---|
| 107 |
#PidFile /var/run/sshd.pid |
|---|
| 108 |
#MaxStartups 10 |
|---|
| 109 |
#PermitTunnel no |
|---|
| 110 |
|
|---|
| 111 |
# no default banner path |
|---|
| 112 |
#Banner /some/path |
|---|
| 113 |
|
|---|
| 114 |
# override default of no subsystems |
|---|
| 115 |
Subsystem sftp /usr/libexec/sftp-server |
|---|
| 116 |
|
|---|
| 117 |
# Example of overriding settings on a per-user basis |
|---|
| 118 |
#Match User anoncvs |
|---|
| 119 |
# X11Forwarding no |
|---|
| 120 |
# AllowTcpForwarding no |
|---|
| 121 |
# ForceCommand cvs server |
|---|
