| 1 | # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
|
|---|
| 2 | # $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
|
|---|
| 3 |
|
|---|
| 4 | # This is the sshd server system-wide configuration file. See
|
|---|
| 5 | # sshd_config(5) for more information.
|
|---|
| 6 |
|
|---|
| 7 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
|---|
| 8 |
|
|---|
| 9 | # The strategy used for options in the default sshd_config shipped with
|
|---|
| 10 | # OpenSSH is to specify options with their default value where
|
|---|
| 11 | # possible, but leave them commented. Uncommented options change a
|
|---|
| 12 | # default value.
|
|---|
| 13 |
|
|---|
| 14 | # Note that some of FreeBSD's defaults differ from OpenBSD's, and
|
|---|
| 15 | # FreeBSD has a few additional options.
|
|---|
| 16 |
|
|---|
| 17 | #VersionAddendum FreeBSD-20090522
|
|---|
| 18 |
|
|---|
| 19 | Port 22
|
|---|
| 20 | Port 1022
|
|---|
| 21 | #Protocol 2
|
|---|
| 22 | #AddressFamily any
|
|---|
| 23 | #ListenAddress 0.0.0.0
|
|---|
| 24 | #ListenAddress ::
|
|---|
| 25 |
|
|---|
| 26 | # Disable legacy (protocol version 1) support in the server for new
|
|---|
| 27 | # installations. In future the default will change to require explicit
|
|---|
| 28 | # activation of protocol 1
|
|---|
| 29 | Protocol 2
|
|---|
| 30 |
|
|---|
| 31 | # HostKey for protocol version 1
|
|---|
| 32 | #HostKey /etc/ssh/ssh_host_key
|
|---|
| 33 | # HostKeys for protocol version 2
|
|---|
| 34 | #HostKey /etc/ssh/ssh_host_rsa_key
|
|---|
| 35 | #HostKey /etc/ssh/ssh_host_dsa_key
|
|---|
| 36 |
|
|---|
| 37 | # Lifetime and size of ephemeral version 1 server key
|
|---|
| 38 | #KeyRegenerationInterval 1h
|
|---|
| 39 | #ServerKeyBits 1024
|
|---|
| 40 |
|
|---|
| 41 | # Logging
|
|---|
| 42 | # obsoletes QuietMode and FascistLogging
|
|---|
| 43 | #SyslogFacility AUTH
|
|---|
| 44 | #LogLevel INFO
|
|---|
| 45 |
|
|---|
| 46 | # Authentication:
|
|---|
| 47 |
|
|---|
| 48 | #LoginGraceTime 2m
|
|---|
| 49 | PermitRootLogin yes
|
|---|
| 50 | #StrictModes yes
|
|---|
| 51 | #MaxAuthTries 6
|
|---|
| 52 | #MaxSessions 10
|
|---|
| 53 |
|
|---|
| 54 | #RSAAuthentication yes
|
|---|
| 55 | #PubkeyAuthentication yes
|
|---|
| 56 | #AuthorizedKeysFile .ssh/authorized_keys
|
|---|
| 57 | AuthorizedKeysFile /etc/ssh/authorized_keys
|
|---|
| 58 |
|
|---|
| 59 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
|---|
| 60 | #RhostsRSAAuthentication no
|
|---|
| 61 | # similar for protocol version 2
|
|---|
| 62 | #HostbasedAuthentication no
|
|---|
| 63 | # Change to yes if you don't trust ~/.ssh/known_hosts for
|
|---|
| 64 | # RhostsRSAAuthentication and HostbasedAuthentication
|
|---|
| 65 | #IgnoreUserKnownHosts no
|
|---|
| 66 | # Don't read the user's ~/.rhosts and ~/.shosts files
|
|---|
| 67 | #IgnoreRhosts yes
|
|---|
| 68 |
|
|---|
| 69 | # Change to yes to enable built-in password authentication.
|
|---|
| 70 | #PasswordAuthentication no
|
|---|
| 71 | #PermitEmptyPasswords no
|
|---|
| 72 |
|
|---|
| 73 | # Change to no to disable PAM authentication
|
|---|
| 74 | #ChallengeResponseAuthentication yes
|
|---|
| 75 |
|
|---|
| 76 | # Kerberos options
|
|---|
| 77 | #KerberosAuthentication no
|
|---|
| 78 | #KerberosOrLocalPasswd yes
|
|---|
| 79 | #KerberosTicketCleanup yes
|
|---|
| 80 | #KerberosGetAFSToken no
|
|---|
| 81 |
|
|---|
| 82 | # GSSAPI options
|
|---|
| 83 | #GSSAPIAuthentication no
|
|---|
| 84 | #GSSAPICleanupCredentials yes
|
|---|
| 85 |
|
|---|
| 86 | # Set this to 'no' to disable PAM authentication, account processing,
|
|---|
| 87 | # and session processing. If this is enabled, PAM authentication will
|
|---|
| 88 | # be allowed through the ChallengeResponseAuthentication and
|
|---|
| 89 | # PasswordAuthentication. Depending on your PAM configuration,
|
|---|
| 90 | # PAM authentication via ChallengeResponseAuthentication may bypass
|
|---|
| 91 | PermitRootLogin yes
|
|---|
| 92 | # If you just want the PAM account and session checks to run without
|
|---|
| 93 | # PAM authentication, then enable this but set PasswordAuthentication
|
|---|
| 94 | # and ChallengeResponseAuthentication to 'no'.
|
|---|
| 95 | #UsePAM yes
|
|---|
| 96 |
|
|---|
| 97 | #AllowAgentForwarding yes
|
|---|
| 98 | #AllowTcpForwarding yes
|
|---|
| 99 | #GatewayPorts no
|
|---|
| 100 | #X11Forwarding yes
|
|---|
| 101 | #X11DisplayOffset 10
|
|---|
| 102 | #X11UseLocalhost yes
|
|---|
| 103 | #PrintMotd yes
|
|---|
| 104 | #PrintLastLog yes
|
|---|
| 105 | #TCPKeepAlive yes
|
|---|
| 106 | #UseLogin no
|
|---|
| 107 | #UsePrivilegeSeparation yes
|
|---|
| 108 | #PermitUserEnvironment no
|
|---|
| 109 | #Compression delayed
|
|---|
| 110 | #ClientAliveInterval 0
|
|---|
| 111 | #ClientAliveCountMax 3
|
|---|
| 112 | UseDNS no
|
|---|
| 113 | #PidFile /var/run/sshd.pid
|
|---|
| 114 | #MaxStartups 10
|
|---|
| 115 | #PermitTunnel no
|
|---|
| 116 | #ChrootDirectory none
|
|---|
| 117 |
|
|---|
| 118 | # no default banner path
|
|---|
| 119 | #Banner none
|
|---|
| 120 |
|
|---|
| 121 | # override default of no subsystems
|
|---|
| 122 | Subsystem sftp /usr/libexec/sftp-server
|
|---|
| 123 |
|
|---|
| 124 | # Example of overriding settings on a per-user basis
|
|---|
| 125 | #Match User anoncvs
|
|---|
| 126 | # X11Forwarding no
|
|---|
| 127 | # AllowTcpForwarding no
|
|---|
| 128 | # ForceCommand cvs server
|
|---|
| 129 |
|
|---|
| 130 | Banner /etc/ssh/ssh-external-banner
|
|---|
| 131 | PasswordAuthentication no
|
|---|
| 132 | Match address 172.16.0.0/12
|
|---|
| 133 | Banner /etc/ssh/ssh-internal-banner
|
|---|
| 134 | PasswordAuthentication yes
|
|---|
| 135 |
|
|---|
