blob: b786361d1110b9961a85bf324dfc972fc9584a70 [file] [log] [blame]
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
Tim Rice59ea0a02001-03-10 13:50:45 -08002
Ben Lindstrom9721e922002-06-21 01:06:03 +00003# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
Damien Millerd4a8b7e1999-10-27 13:42:43 +10005
Tim Rice1e2c6002002-01-30 22:14:03 -08006# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
Damien Miller95ca7e92002-02-19 15:29:02 +11008# The strategy used for options in the default sshd_config shipped with
Damien Miller2bec5c12002-01-22 23:32:07 +11009# OpenSSH is to specify options with their default value where
Damien Millerfd53abd2011-05-15 08:36:02 +100010# possible, but leave them commented. Uncommented options override the
Damien Miller2bec5c12002-01-22 23:32:07 +110011# default value.
12
13#Port 22
Darren Tucker0f383232005-01-20 10:57:56 +110014#AddressFamily any
Kevin Steves8ee4f692001-01-09 15:28:46 +000015#ListenAddress 0.0.0.0
Damien Miller34132e52000-01-14 15:45:46 +110016#ListenAddress ::
Ben Lindstromc4b72252001-06-09 01:09:51 +000017
Darren Tuckerbad50762009-10-11 21:51:08 +110018# The default requires explicit activation of protocol 1
19#Protocol 2
Darren Tucker506ed882007-03-21 20:42:24 +110020
Ben Lindstromc4b72252001-06-09 01:09:51 +000021# HostKey for protocol version 1
Damien Miller05eda432002-02-10 18:32:28 +110022#HostKey /etc/ssh/ssh_host_key
Ben Lindstromc4b72252001-06-09 01:09:51 +000023# HostKeys for protocol version 2
Damien Miller05eda432002-02-10 18:32:28 +110024#HostKey /etc/ssh/ssh_host_rsa_key
25#HostKey /etc/ssh/ssh_host_dsa_key
Damien Miller80ed82a2010-09-10 11:20:11 +100026#HostKey /etc/ssh/ssh_host_ecdsa_key
Ben Lindstromc4b72252001-06-09 01:09:51 +000027
28# Lifetime and size of ephemeral version 1 server key
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100029#KeyRegenerationInterval 1h
Darren Tucker7499b0c2008-07-02 22:35:43 +100030#ServerKeyBits 1024
Damien Miller192bd011999-11-13 23:56:35 +110031
Darren Tucker5f96f3b2013-05-16 20:29:28 +100032# Ciphers and keying
33#RekeyLimit default none
34
Damien Miller886c63a2000-01-20 23:13:36 +110035# Logging
Damien Miller06b75ad2005-05-26 12:12:37 +100036# obsoletes QuietMode and FascistLogging
Damien Miller2bec5c12002-01-22 23:32:07 +110037#SyslogFacility AUTH
38#LogLevel INFO
Damien Miller9ba30241999-11-11 21:07:00 +110039
Ben Lindstromc4b72252001-06-09 01:09:51 +000040# Authentication:
41
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100042#LoginGraceTime 2m
Damien Miller2bec5c12002-01-22 23:32:07 +110043#PermitRootLogin yes
44#StrictModes yes
Darren Tucker89413db2004-05-24 10:36:23 +100045#MaxAuthTries 6
Damien Miller7207f642008-05-19 15:34:50 +100046#MaxSessions 10
Ben Lindstromc4b72252001-06-09 01:09:51 +000047
Damien Miller2bec5c12002-01-22 23:32:07 +110048#RSAAuthentication yes
49#PubkeyAuthentication yes
Damien Millerd8478b62011-05-29 21:39:36 +100050
51# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
52# but this is overridden so installations will only check .ssh/authorized_keys
53AuthorizedKeysFile .ssh/authorized_keys
Damien Millerd4a8b7e1999-10-27 13:42:43 +100054
Damien Miller8fef9eb2012-04-22 11:25:10 +100055#AuthorizedPrincipalsFile none
56
Damien Miller09d3e122012-10-31 08:58:58 +110057#AuthorizedKeysCommand none
58#AuthorizedKeysCommandUser nobody
59
Damien Miller05eda432002-02-10 18:32:28 +110060# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Damien Miller2bec5c12002-01-22 23:32:07 +110061#RhostsRSAAuthentication no
Ben Lindstromc4b72252001-06-09 01:09:51 +000062# similar for protocol version 2
Damien Miller2bec5c12002-01-22 23:32:07 +110063#HostbasedAuthentication no
64# Change to yes if you don't trust ~/.ssh/known_hosts for
65# RhostsRSAAuthentication and HostbasedAuthentication
66#IgnoreUserKnownHosts no
Darren Tuckerec960f22003-08-13 20:37:05 +100067# Don't read the user's ~/.rhosts and ~/.shosts files
68#IgnoreRhosts yes
Ben Lindstromc4b72252001-06-09 01:09:51 +000069
Damien Millerd4a8b7e1999-10-27 13:42:43 +100070# To disable tunneled clear text passwords, change to no here!
Damien Miller2bec5c12002-01-22 23:32:07 +110071#PasswordAuthentication yes
72#PermitEmptyPasswords no
Damien Miller33804262001-02-04 23:20:18 +110073
Damien Miller2bec5c12002-01-22 23:32:07 +110074# Change to no to disable s/key passwords
75#ChallengeResponseAuthentication yes
Damien Millerf8154422001-04-25 22:44:14 +100076
Damien Miller2bec5c12002-01-22 23:32:07 +110077# Kerberos options
Damien Millerd7de14b2002-04-23 21:04:51 +100078#KerberosAuthentication no
Damien Miller2bec5c12002-01-22 23:32:07 +110079#KerberosOrLocalPasswd yes
80#KerberosTicketCleanup yes
Darren Tucker22ef5082003-12-31 11:37:34 +110081#KerberosGetAFSToken no
Damien Miller2bec5c12002-01-22 23:32:07 +110082
Darren Tucker0efd1552003-08-26 11:49:55 +100083# GSSAPI options
84#GSSAPIAuthentication no
Darren Tuckera49d36e2003-10-02 16:20:54 +100085#GSSAPICleanupCredentials yes
Darren Tucker0efd1552003-08-26 11:49:55 +100086
Damien Miller701d0512004-05-23 11:47:58 +100087# Set this to 'yes' to enable PAM authentication, account processing,
88# and session processing. If this is enabled, PAM authentication will
Darren Tuckera4904f72006-02-23 21:35:30 +110089# be allowed through the ChallengeResponseAuthentication and
90# PasswordAuthentication. Depending on your PAM configuration,
91# PAM authentication via ChallengeResponseAuthentication may bypass
92# the setting of "PermitRootLogin without-password".
93# If you just want the PAM account and session checks to run without
94# PAM authentication, then enable this but set PasswordAuthentication
95# and ChallengeResponseAuthentication to 'no'.
Tim Riced4d18152003-09-25 19:04:34 -070096#UsePAM no
Damien Millerd4a8b7e1999-10-27 13:42:43 +100097
Damien Millerba3a6592008-05-19 14:58:22 +100098#AllowAgentForwarding yes
Darren Tuckerb8dae8e2003-06-22 20:48:45 +100099#AllowTcpForwarding yes
100#GatewayPorts no
Damien Miller2bec5c12002-01-22 23:32:07 +1100101#X11Forwarding no
102#X11DisplayOffset 10
Damien Miller95c249f2002-02-05 12:11:34 +1100103#X11UseLocalhost yes
Damien Miller2bec5c12002-01-22 23:32:07 +1100104#PrintMotd yes
105#PrintLastLog yes
Darren Tucker0b3b9752003-12-31 11:38:32 +1100106#TCPKeepAlive yes
Damien Millerc30d35c2000-08-30 09:40:09 +1100107#UseLogin no
Damien Miller5a5c2b92012-07-31 12:21:34 +1000108UsePrivilegeSeparation sandbox # Default for new installations.
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000109#PermitUserEnvironment no
Damien Miller9786e6e2005-07-26 21:54:56 +1000110#Compression delayed
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000111#ClientAliveInterval 0
112#ClientAliveCountMax 3
113#UseDNS yes
114#PidFile /var/run/sshd.pid
Damien Miller1f583df2013-02-12 11:02:08 +1100115#MaxStartups 10:30:100
Damien Millerd27b9472005-12-13 19:29:02 +1100116#PermitTunnel no
Damien Millerd8cb1f12008-02-10 22:40:12 +1100117#ChrootDirectory none
Damien Miller23528812012-04-22 11:24:43 +1000118#VersionAddendum none
Darren Tuckerb8dae8e2003-06-22 20:48:45 +1000119
Damien Miller2bec5c12002-01-22 23:32:07 +1100120# no default banner path
Damien Miller4890e532007-09-17 11:57:38 +1000121#Banner none
Ben Lindstrome9d04442001-02-10 23:26:35 +0000122
Damien Miller2bec5c12002-01-22 23:32:07 +1100123# override default of no subsystems
Ben Lindstrome9d04442001-02-10 23:26:35 +0000124Subsystem sftp /usr/libexec/sftp-server
Damien Millere2754432006-07-24 14:06:47 +1000125
126# Example of overriding settings on a per-user basis
127#Match User anoncvs
128# X11Forwarding no
129# AllowTcpForwarding no
130# ForceCommand cvs server