Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 71e5a536ec815d542b199f2ae6d646c0db9f1b58 / . / sshd_config
blob: 4eb2e02e044851a74c010ad7cb4e71fc4dd0afe4 [file] [log] [blame]
djm@openbsd.org66705942017-03-14 07:19:07 +0000[diff] [blame]1# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
Tim Rice59ea0a02001-03-10 13:50:45 -0800[diff] [blame]2
Ben Lindstrom9721e922002-06-21 01:06:03 +0000[diff] [blame]3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]5
Tim Rice1e2c6002002-01-30 22:14:03 -0800[diff] [blame]6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
Damien Miller95ca7e92002-02-19 15:29:02 +1100[diff] [blame]8# The strategy used for options in the default sshd_config shipped with
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]9# OpenSSH is to specify options with their default value where
Damien Millerfd53abd2011-05-15 08:36:02 +1000[diff] [blame]10# possible, but leave them commented. Uncommented options override the
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]11# default value.
12
13#Port 22
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]14#AddressFamily any
Kevin Steves8ee4f692001-01-09 15:28:46 +0000[diff] [blame]15#ListenAddress 0.0.0.0
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]16#ListenAddress ::
Ben Lindstromc4b72252001-06-09 01:09:51 +0000[diff] [blame]17
Damien Miller05eda432002-02-10 18:32:28 +1100[diff] [blame]18#HostKey /etc/ssh/ssh_host_rsa_key
19#HostKey /etc/ssh/ssh_host_dsa_key
Damien Miller80ed82a2010-09-10 11:20:11 +1000[diff] [blame]20#HostKey /etc/ssh/ssh_host_ecdsa_key
Damien Milleraf5d4482014-01-12 19:20:47 +1100[diff] [blame]21#HostKey /etc/ssh/ssh_host_ed25519_key
Ben Lindstromc4b72252001-06-09 01:09:51 +0000[diff] [blame]22
Darren Tucker5f96f3b2013-05-16 20:29:28 +1000[diff] [blame]23# Ciphers and keying
24#RekeyLimit default none
25
Damien Miller886c63a2000-01-20 23:13:36 +1100[diff] [blame]26# Logging
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]27#SyslogFacility AUTH
28#LogLevel INFO
Damien Miller9ba30241999-11-11 21:07:00 +1100[diff] [blame]29
Ben Lindstromc4b72252001-06-09 01:09:51 +0000[diff] [blame]30# Authentication:
31
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000[diff] [blame]32#LoginGraceTime 2m
deraadt@openbsd.org1dc8d932015-08-06 14:53:21 +0000[diff] [blame]33#PermitRootLogin prohibit-password
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]34#StrictModes yes
Darren Tucker89413db2004-05-24 10:36:23 +1000[diff] [blame]35#MaxAuthTries 6
Damien Miller7207f642008-05-19 15:34:50 +1000[diff] [blame]36#MaxSessions 10
Ben Lindstromc4b72252001-06-09 01:09:51 +0000[diff] [blame]37
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]38#PubkeyAuthentication yes
Damien Millerd8478b62011-05-29 21:39:36 +1000[diff] [blame]39
40# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
41# but this is overridden so installations will only check .ssh/authorized_keys
42AuthorizedKeysFile .ssh/authorized_keys
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]43
Damien Miller8fef9eb2012-04-22 11:25:10 +1000[diff] [blame]44#AuthorizedPrincipalsFile none
45
Damien Miller09d3e122012-10-31 08:58:58 +1100[diff] [blame]46#AuthorizedKeysCommand none
47#AuthorizedKeysCommandUser nobody
48
Damien Miller05eda432002-02-10 18:32:28 +1100[diff] [blame]49# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]50#HostbasedAuthentication no
51# Change to yes if you don't trust ~/.ssh/known_hosts for
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000[diff] [blame]52# HostbasedAuthentication
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]53#IgnoreUserKnownHosts no
Darren Tuckerec960f22003-08-13 20:37:05 +1000[diff] [blame]54# Don't read the user's ~/.rhosts and ~/.shosts files
55#IgnoreRhosts yes
Ben Lindstromc4b72252001-06-09 01:09:51 +0000[diff] [blame]56
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]57# To disable tunneled clear text passwords, change to no here!
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]58#PasswordAuthentication yes
59#PermitEmptyPasswords no
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]60
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]61# Change to no to disable s/key passwords
62#ChallengeResponseAuthentication yes
Damien Millerf8154422001-04-25 22:44:14 +1000[diff] [blame]63
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]64# Kerberos options
Damien Millerd7de14b2002-04-23 21:04:51 +1000[diff] [blame]65#KerberosAuthentication no
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]66#KerberosOrLocalPasswd yes
67#KerberosTicketCleanup yes
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]68#KerberosGetAFSToken no
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]69
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]70# GSSAPI options
71#GSSAPIAuthentication no
Darren Tuckera49d36e2003-10-02 16:20:54 +1000[diff] [blame]72#GSSAPICleanupCredentials yes
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]73
Darren Tuckere90a06a2013-09-18 15:09:38 +1000[diff] [blame]74# Set this to 'yes' to enable PAM authentication, account processing,
75# and session processing. If this is enabled, PAM authentication will
Darren Tuckera4904f72006-02-23 21:35:30 +1100[diff] [blame]76# be allowed through the ChallengeResponseAuthentication and
77# PasswordAuthentication. Depending on your PAM configuration,
78# PAM authentication via ChallengeResponseAuthentication may bypass
79# the setting of "PermitRootLogin without-password".
80# If you just want the PAM account and session checks to run without
81# PAM authentication, then enable this but set PasswordAuthentication
82# and ChallengeResponseAuthentication to 'no'.
Tim Riced4d18152003-09-25 19:04:34 -0700[diff] [blame]83#UsePAM no
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]84
Damien Millerba3a6592008-05-19 14:58:22 +1000[diff] [blame]85#AllowAgentForwarding yes
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000[diff] [blame]86#AllowTcpForwarding yes
87#GatewayPorts no
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]88#X11Forwarding no
89#X11DisplayOffset 10
Damien Miller95c249f2002-02-05 12:11:34 +1100[diff] [blame]90#X11UseLocalhost yes
Damien Miller5ff30c62013-10-30 22:21:50 +1100[diff] [blame]91#PermitTTY yes
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]92#PrintMotd yes
93#PrintLastLog yes
Darren Tucker0b3b9752003-12-31 11:38:32 +1100[diff] [blame]94#TCPKeepAlive yes
Damien Millerc30d35c2000-08-30 09:40:09 +1100[diff] [blame]95#UseLogin no
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]96#PermitUserEnvironment no
Damien Miller9786e6e2005-07-26 21:54:56 +1000[diff] [blame]97#Compression delayed
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000[diff] [blame]98#ClientAliveInterval 0
99#ClientAliveCountMax 3
deraadt@openbsd.org3cd51032015-02-02 01:57:44 +0000[diff] [blame]100#UseDNS no
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000[diff] [blame]101#PidFile /var/run/sshd.pid
Damien Miller1f583df2013-02-12 11:02:08 +1100[diff] [blame]102#MaxStartups 10:30:100
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]103#PermitTunnel no
Damien Millerd8cb1f12008-02-10 22:40:12 +1100[diff] [blame]104#ChrootDirectory none
Damien Miller23528812012-04-22 11:24:43 +1000[diff] [blame]105#VersionAddendum none
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000[diff] [blame]106
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]107# no default banner path
Damien Miller4890e532007-09-17 11:57:38 +1000[diff] [blame]108#Banner none
Ben Lindstrome9d04442001-02-10 23:26:35 +0000[diff] [blame]109
Damien Miller2bec5c12002-01-22 23:32:07 +1100[diff] [blame]110# override default of no subsystems
Ben Lindstrome9d04442001-02-10 23:26:35 +0000[diff] [blame]111Subsystem sftp /usr/libexec/sftp-server
Damien Millere2754432006-07-24 14:06:47 +1000[diff] [blame]112
113# Example of overriding settings on a per-user basis
114#Match User anoncvs
115# X11Forwarding no
116# AllowTcpForwarding no
Damien Miller5ff30c62013-10-30 22:21:50 +1100[diff] [blame]117# PermitTTY no
Damien Millere2754432006-07-24 14:06:47 +1000[diff] [blame]118# ForceCommand cvs server