blob: 1440c05ffcaf1e218c3523eda69626702f0be143 [file] [log] [blame]
Damien Miller9786e6e2005-07-26 21:54:56 +10001# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
Tim Rice59ea0a02001-03-10 13:50:45 -08002
Ben Lindstrom9721e922002-06-21 01:06:03 +00003# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
Damien Millerd4a8b7e1999-10-27 13:42:43 +10005
Tim Rice1e2c6002002-01-30 22:14:03 -08006# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
Damien Miller95ca7e92002-02-19 15:29:02 +11008# The strategy used for options in the default sshd_config shipped with
Damien Miller2bec5c12002-01-22 23:32:07 +11009# OpenSSH is to specify options with their default value where
10# possible, but leave them commented. Uncommented options change a
11# default value.
12
13#Port 22
Damien Miller8bb73be2000-04-19 16:26:12 +100014#Protocol 2,1
Darren Tucker0f383232005-01-20 10:57:56 +110015#AddressFamily any
Kevin Steves8ee4f692001-01-09 15:28:46 +000016#ListenAddress 0.0.0.0
Damien Miller34132e52000-01-14 15:45:46 +110017#ListenAddress ::
Ben Lindstromc4b72252001-06-09 01:09:51 +000018
19# HostKey for protocol version 1
Damien Miller05eda432002-02-10 18:32:28 +110020#HostKey /etc/ssh/ssh_host_key
Ben Lindstromc4b72252001-06-09 01:09:51 +000021# HostKeys for protocol version 2
Damien Miller05eda432002-02-10 18:32:28 +110022#HostKey /etc/ssh/ssh_host_rsa_key
23#HostKey /etc/ssh/ssh_host_dsa_key
Ben Lindstromc4b72252001-06-09 01:09:51 +000024
25# Lifetime and size of ephemeral version 1 server key
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100026#KeyRegenerationInterval 1h
Damien Miller2bec5c12002-01-22 23:32:07 +110027#ServerKeyBits 768
Damien Miller192bd011999-11-13 23:56:35 +110028
Damien Miller886c63a2000-01-20 23:13:36 +110029# Logging
Damien Miller06b75ad2005-05-26 12:12:37 +100030# obsoletes QuietMode and FascistLogging
Damien Miller2bec5c12002-01-22 23:32:07 +110031#SyslogFacility AUTH
32#LogLevel INFO
Damien Miller9ba30241999-11-11 21:07:00 +110033
Ben Lindstromc4b72252001-06-09 01:09:51 +000034# Authentication:
35
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100036#LoginGraceTime 2m
Damien Miller2bec5c12002-01-22 23:32:07 +110037#PermitRootLogin yes
38#StrictModes yes
Darren Tucker89413db2004-05-24 10:36:23 +100039#MaxAuthTries 6
Ben Lindstromc4b72252001-06-09 01:09:51 +000040
Damien Miller2bec5c12002-01-22 23:32:07 +110041#RSAAuthentication yes
42#PubkeyAuthentication yes
43#AuthorizedKeysFile .ssh/authorized_keys
Damien Millerd4a8b7e1999-10-27 13:42:43 +100044
Damien Miller05eda432002-02-10 18:32:28 +110045# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Damien Miller2bec5c12002-01-22 23:32:07 +110046#RhostsRSAAuthentication no
Ben Lindstromc4b72252001-06-09 01:09:51 +000047# similar for protocol version 2
Damien Miller2bec5c12002-01-22 23:32:07 +110048#HostbasedAuthentication no
49# Change to yes if you don't trust ~/.ssh/known_hosts for
50# RhostsRSAAuthentication and HostbasedAuthentication
51#IgnoreUserKnownHosts no
Darren Tuckerec960f22003-08-13 20:37:05 +100052# Don't read the user's ~/.rhosts and ~/.shosts files
53#IgnoreRhosts yes
Ben Lindstromc4b72252001-06-09 01:09:51 +000054
Damien Millerd4a8b7e1999-10-27 13:42:43 +100055# To disable tunneled clear text passwords, change to no here!
Damien Miller2bec5c12002-01-22 23:32:07 +110056#PasswordAuthentication yes
57#PermitEmptyPasswords no
Damien Miller33804262001-02-04 23:20:18 +110058
Damien Miller2bec5c12002-01-22 23:32:07 +110059# Change to no to disable s/key passwords
60#ChallengeResponseAuthentication yes
Damien Millerf8154422001-04-25 22:44:14 +100061
Damien Miller2bec5c12002-01-22 23:32:07 +110062# Kerberos options
Damien Millerd7de14b2002-04-23 21:04:51 +100063#KerberosAuthentication no
Damien Miller2bec5c12002-01-22 23:32:07 +110064#KerberosOrLocalPasswd yes
65#KerberosTicketCleanup yes
Darren Tucker22ef5082003-12-31 11:37:34 +110066#KerberosGetAFSToken no
Damien Miller2bec5c12002-01-22 23:32:07 +110067
Darren Tucker0efd1552003-08-26 11:49:55 +100068# GSSAPI options
69#GSSAPIAuthentication no
Darren Tuckera49d36e2003-10-02 16:20:54 +100070#GSSAPICleanupCredentials yes
Darren Tucker0efd1552003-08-26 11:49:55 +100071
Damien Miller701d0512004-05-23 11:47:58 +100072# Set this to 'yes' to enable PAM authentication, account processing,
73# and session processing. If this is enabled, PAM authentication will
74# be allowed through the ChallengeResponseAuthentication mechanism.
75# Depending on your PAM configuration, this may bypass the setting of
76# PasswordAuthentication, PermitEmptyPasswords, and
77# "PermitRootLogin without-password". If you just want the PAM account and
78# session checks to run without PAM authentication, then enable this but set
79# ChallengeResponseAuthentication=no
Tim Riced4d18152003-09-25 19:04:34 -070080#UsePAM no
Damien Millerd4a8b7e1999-10-27 13:42:43 +100081
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100082#AllowTcpForwarding yes
83#GatewayPorts no
Damien Miller2bec5c12002-01-22 23:32:07 +110084#X11Forwarding no
85#X11DisplayOffset 10
Damien Miller95c249f2002-02-05 12:11:34 +110086#X11UseLocalhost yes
Damien Miller2bec5c12002-01-22 23:32:07 +110087#PrintMotd yes
88#PrintLastLog yes
Darren Tucker0b3b9752003-12-31 11:38:32 +110089#TCPKeepAlive yes
Damien Millerc30d35c2000-08-30 09:40:09 +110090#UseLogin no
Ben Lindstromfb62a692002-06-06 19:47:11 +000091#UsePrivilegeSeparation yes
Ben Lindstrom5d860f02002-08-01 01:28:38 +000092#PermitUserEnvironment no
Damien Miller9786e6e2005-07-26 21:54:56 +100093#Compression delayed
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100094#ClientAliveInterval 0
95#ClientAliveCountMax 3
96#UseDNS yes
97#PidFile /var/run/sshd.pid
Damien Miller2bec5c12002-01-22 23:32:07 +110098#MaxStartups 10
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100099
Damien Miller2bec5c12002-01-22 23:32:07 +1100100# no default banner path
101#Banner /some/path
Ben Lindstrome9d04442001-02-10 23:26:35 +0000102
Damien Miller2bec5c12002-01-22 23:32:07 +1100103# override default of no subsystems
Ben Lindstrome9d04442001-02-10 23:26:35 +0000104Subsystem sftp /usr/libexec/sftp-server