Blame - sshd_config - platform/external/openssh

blob: 4eb2e02e044851a74c010ad7cb4e71fc4dd0afe4 [file] [log] [blame]

Greg Hartman	9768ca4	2017-06-22 20:49:52 -0700	[diff] [blame]	1	# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	2
				3	# This is the sshd server system-wide configuration file. See
				4	# sshd_config(5) for more information.
				5
				6	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
				7
				8	# The strategy used for options in the default sshd_config shipped with
				9	# OpenSSH is to specify options with their default value where
				10	# possible, but leave them commented. Uncommented options override the
				11	# default value.
				12
				13	#Port 22
				14	#AddressFamily any
				15	#ListenAddress 0.0.0.0
				16	#ListenAddress ::
				17
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	18	#HostKey /etc/ssh/ssh_host_rsa_key
				19	#HostKey /etc/ssh/ssh_host_dsa_key
				20	#HostKey /etc/ssh/ssh_host_ecdsa_key
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	21	#HostKey /etc/ssh/ssh_host_ed25519_key
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	22
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	23	# Ciphers and keying
				24	#RekeyLimit default none
				25
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	26	# Logging
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	27	#SyslogFacility AUTH
				28	#LogLevel INFO
				29
				30	# Authentication:
				31
				32	#LoginGraceTime 2m
Greg Hartman	ccacbc9	2016-02-03 09:59:44 -0800	[diff] [blame]	33	#PermitRootLogin prohibit-password
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	34	#StrictModes yes
				35	#MaxAuthTries 6
				36	#MaxSessions 10
				37
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	38	#PubkeyAuthentication yes
				39
				40	# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
				41	# but this is overridden so installations will only check .ssh/authorized_keys
				42	AuthorizedKeysFile .ssh/authorized_keys
				43
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	44	#AuthorizedPrincipalsFile none
				45
				46	#AuthorizedKeysCommand none
				47	#AuthorizedKeysCommandUser nobody
				48
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	49	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	50	#HostbasedAuthentication no
				51	# Change to yes if you don't trust ~/.ssh/known_hosts for
Greg Hartman	9768ca4	2017-06-22 20:49:52 -0700	[diff] [blame]	52	# HostbasedAuthentication
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	53	#IgnoreUserKnownHosts no
				54	# Don't read the user's ~/.rhosts and ~/.shosts files
				55	#IgnoreRhosts yes
				56
				57	# To disable tunneled clear text passwords, change to no here!
				58	#PasswordAuthentication yes
				59	#PermitEmptyPasswords no
				60
				61	# Change to no to disable s/key passwords
				62	#ChallengeResponseAuthentication yes
				63
				64	# Kerberos options
				65	#KerberosAuthentication no
				66	#KerberosOrLocalPasswd yes
				67	#KerberosTicketCleanup yes
				68	#KerberosGetAFSToken no
				69
				70	# GSSAPI options
				71	#GSSAPIAuthentication no
				72	#GSSAPICleanupCredentials yes
				73
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	74	# Set this to 'yes' to enable PAM authentication, account processing,
				75	# and session processing. If this is enabled, PAM authentication will
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	76	# be allowed through the ChallengeResponseAuthentication and
				77	# PasswordAuthentication. Depending on your PAM configuration,
				78	# PAM authentication via ChallengeResponseAuthentication may bypass
				79	# the setting of "PermitRootLogin without-password".
				80	# If you just want the PAM account and session checks to run without
				81	# PAM authentication, then enable this but set PasswordAuthentication
				82	# and ChallengeResponseAuthentication to 'no'.
				83	#UsePAM no
				84
				85	#AllowAgentForwarding yes
				86	#AllowTcpForwarding yes
				87	#GatewayPorts no
				88	#X11Forwarding no
				89	#X11DisplayOffset 10
				90	#X11UseLocalhost yes
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	91	#PermitTTY yes
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	92	#PrintMotd yes
				93	#PrintLastLog yes
				94	#TCPKeepAlive yes
				95	#UseLogin no
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	96	#PermitUserEnvironment no
				97	#Compression delayed
				98	#ClientAliveInterval 0
				99	#ClientAliveCountMax 3
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	100	#UseDNS no
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	101	#PidFile /var/run/sshd.pid
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	102	#MaxStartups 10:30:100
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	103	#PermitTunnel no
				104	#ChrootDirectory none
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	105	#VersionAddendum none
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	106
				107	# no default banner path
				108	#Banner none
				109
				110	# override default of no subsystems
				111	Subsystem sftp /usr/libexec/sftp-server
				112
				113	# Example of overriding settings on a per-user basis
				114	#Match User anoncvs
				115	# X11Forwarding no
				116	# AllowTcpForwarding no
Adam Langley	d059297	2015-03-30 14:49:51 -0700	[diff] [blame]	117	# PermitTTY no
Greg Hartman	bd77cf7	2015-02-25 13:21:06 -0800	[diff] [blame]	118	# ForceCommand cvs server