sshd_config - platform/external/openssh - Gitiles

 #	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.

 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.

 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::

 # The default requires explicit activation of protocol 1
 #Protocol 2

 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024

 # Ciphers and keying
 #RekeyLimit default none

 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO

 # Authentication:

 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

 #RSAAuthentication yes
 #PubkeyAuthentication yes

 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys

 #AuthorizedPrincipalsFile none

 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody

 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no

 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no

 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none

 # no default banner path
 #Banner none

 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server

 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
	# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

	# This is the sshd server system-wide configuration file. See
	# sshd_config(5) for more information.

	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

	# The strategy used for options in the default sshd_config shipped with
	# OpenSSH is to specify options with their default value where
	# possible, but leave them commented. Uncommented options override the
	# default value.

	#Port 22
	#AddressFamily any
	#ListenAddress 0.0.0.0
	#ListenAddress ::

	# The default requires explicit activation of protocol 1
	#Protocol 2

	# HostKey for protocol version 1
	#HostKey /etc/ssh/ssh_host_key
	# HostKeys for protocol version 2
	#HostKey /etc/ssh/ssh_host_rsa_key
	#HostKey /etc/ssh/ssh_host_dsa_key
	#HostKey /etc/ssh/ssh_host_ecdsa_key
	#HostKey /etc/ssh/ssh_host_ed25519_key

	# Lifetime and size of ephemeral version 1 server key
	#KeyRegenerationInterval 1h
	#ServerKeyBits 1024

	# Ciphers and keying
	#RekeyLimit default none

	# Logging
	# obsoletes QuietMode and FascistLogging
	#SyslogFacility AUTH
	#LogLevel INFO

	# Authentication:

	#LoginGraceTime 2m
	#PermitRootLogin yes
	#StrictModes yes
	#MaxAuthTries 6
	#MaxSessions 10

	#RSAAuthentication yes
	#PubkeyAuthentication yes

	# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
	# but this is overridden so installations will only check .ssh/authorized_keys
	AuthorizedKeysFile .ssh/authorized_keys

	#AuthorizedPrincipalsFile none

	#AuthorizedKeysCommand none
	#AuthorizedKeysCommandUser nobody

	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	#RhostsRSAAuthentication no
	# similar for protocol version 2
	#HostbasedAuthentication no
	# Change to yes if you don't trust ~/.ssh/known_hosts for
	# RhostsRSAAuthentication and HostbasedAuthentication
	#IgnoreUserKnownHosts no
	# Don't read the user's ~/.rhosts and ~/.shosts files
	#IgnoreRhosts yes

	# To disable tunneled clear text passwords, change to no here!
	#PasswordAuthentication yes
	#PermitEmptyPasswords no

	# Change to no to disable s/key passwords
	#ChallengeResponseAuthentication yes

	# Kerberos options
	#KerberosAuthentication no
	#KerberosOrLocalPasswd yes
	#KerberosTicketCleanup yes
	#KerberosGetAFSToken no

	# GSSAPI options
	#GSSAPIAuthentication no
	#GSSAPICleanupCredentials yes

	# Set this to 'yes' to enable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	# be allowed through the ChallengeResponseAuthentication and
	# PasswordAuthentication. Depending on your PAM configuration,
	# PAM authentication via ChallengeResponseAuthentication may bypass
	# the setting of "PermitRootLogin without-password".
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and ChallengeResponseAuthentication to 'no'.
	#UsePAM no

	#AllowAgentForwarding yes
	#AllowTcpForwarding yes
	#GatewayPorts no
	#X11Forwarding no
	#X11DisplayOffset 10
	#X11UseLocalhost yes
	#PermitTTY yes
	#PrintMotd yes
	#PrintLastLog yes
	#TCPKeepAlive yes
	#UseLogin no
	UsePrivilegeSeparation sandbox # Default for new installations.
	#PermitUserEnvironment no
	#Compression delayed
	#ClientAliveInterval 0
	#ClientAliveCountMax 3
	#UseDNS yes
	#PidFile /var/run/sshd.pid
	#MaxStartups 10:30:100
	#PermitTunnel no
	#ChrootDirectory none
	#VersionAddendum none

	# no default banner path
	#Banner none

	# override default of no subsystems
	Subsystem sftp /usr/libexec/sftp-server

	# Example of overriding settings on a per-user basis
	#Match User anoncvs
	# X11Forwarding no
	# AllowTcpForwarding no
	# PermitTTY no
	# ForceCommand cvs server