1#	$OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
  2
  3# This is the sshd server system-wide configuration file.  See
  4# sshd_config(5) for more information.
  5
  6# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
  7
  8# The strategy used for options in the default sshd_config shipped with
  9# OpenSSH is to specify options with their default value where
 10# possible, but leave them commented.  Uncommented options override the
 11# default value.
 12
 13# If you want to change the port on a SELinux system, you have to tell
 14# SELinux about this change.
 15# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 16#
 17#Port 22
 18#AddressFamily any
 19#ListenAddress 0.0.0.0
 20#ListenAddress ::
 21
 22# The default requires explicit activation of protocol 1
 23#Protocol 2
 24
 25# HostKey for protocol version 1
 26#HostKey /etc/ssh/ssh_host_key
 27# HostKeys for protocol version 2
 28HostKey /etc/ssh/ssh_host_rsa_key
 29#HostKey /etc/ssh/ssh_host_dsa_key
 30HostKey /etc/ssh/ssh_host_ecdsa_key
 31
 32# Lifetime and size of ephemeral version 1 server key
 33#KeyRegenerationInterval 1h
 34#ServerKeyBits 1024
 35
 36# Ciphers and keying
 37#RekeyLimit default none
 38
 39# Logging
 40# obsoletes QuietMode and FascistLogging
 41#SyslogFacility AUTH
 42SyslogFacility AUTHPRIV
 43#LogLevel INFO
 44
 45# Authentication:
 46
 47#LoginGraceTime 2m
 48#PermitRootLogin yes
 49#StrictModes yes
 50#MaxAuthTries 6
 51#MaxSessions 10
 52
 53#RSAAuthentication yes
 54#PubkeyAuthentication yes
 55
 56# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 57# but this is overridden so installations will only check .ssh/authorized_keys
 58AuthorizedKeysFile .ssh/authorized_keys
 59
 60#AuthorizedPrincipalsFile none
 61
 62#AuthorizedKeysCommand none
 63#AuthorizedKeysCommandUser nobody
 64
 65# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 66#RhostsRSAAuthentication no
 67# similar for protocol version 2
 68#HostbasedAuthentication no
 69# Change to yes if you don't trust ~/.ssh/known_hosts for
 70# RhostsRSAAuthentication and HostbasedAuthentication
 71#IgnoreUserKnownHosts no
 72# Don't read the user's ~/.rhosts and ~/.shosts files
 73#IgnoreRhosts yes
 74
 75# To disable tunneled clear text passwords, change to no here!
 76#PasswordAuthentication yes
 77#PermitEmptyPasswords no
 78PasswordAuthentication no
 79
 80# Change to no to disable s/key passwords
 81#ChallengeResponseAuthentication yes
 82ChallengeResponseAuthentication no
 83
 84# Kerberos options
 85#KerberosAuthentication no
 86#KerberosOrLocalPasswd yes
 87#KerberosTicketCleanup yes
 88#KerberosGetAFSToken no
 89#KerberosUseKuserok yes
 90
 91# GSSAPI options
 92#GSSAPIAuthentication no
 93GSSAPIAuthentication yes
 94#GSSAPICleanupCredentials yes
 95GSSAPICleanupCredentials yes
 96#GSSAPIStrictAcceptorCheck yes
 97#GSSAPIKeyExchange no
 98
 99# Set this to 'yes' to enable PAM authentication, account processing,
100# and session processing. If this is enabled, PAM authentication will
101# be allowed through the ChallengeResponseAuthentication and
102# PasswordAuthentication.  Depending on your PAM configuration,
103# PAM authentication via ChallengeResponseAuthentication may bypass
104# the setting of "PermitRootLogin without-password".
105# If you just want the PAM account and session checks to run without
106# PAM authentication, then enable this but set PasswordAuthentication
107# and ChallengeResponseAuthentication to 'no'.
108# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
109# problems.
110#UsePAM no
111UsePAM yes
112
113#AllowAgentForwarding yes
114#AllowTcpForwarding yes
115#GatewayPorts no
116#X11Forwarding no
117X11Forwarding yes
118#X11DisplayOffset 10
119#X11UseLocalhost yes
120#PrintMotd yes
121#PrintLastLog yes
122#TCPKeepAlive yes
123#UseLogin no
124UsePrivilegeSeparation sandbox		# Default for new installations.
125#PermitUserEnvironment no
126#Compression delayed
127#ClientAliveInterval 0
128#ClientAliveCountMax 3
129#ShowPatchLevel no
130#UseDNS yes
131#PidFile /var/run/sshd.pid
132#MaxStartups 10:30:100
133#PermitTunnel no
134#ChrootDirectory none
135#VersionAddendum none
136
137# no default banner path
138#Banner none
139
140# Accept locale-related environment variables
141AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
142AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
143AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
144AcceptEnv XMODIFIERS
145
146# override default of no subsystems
147Subsystem sftp	/usr/libexec/openssh/sftp-server
148
149# Uncomment this if you want to use .local domain
150#Host *.local
151#	CheckHostIP no
152
153# Example of overriding settings on a per-user basis
154#Match User anoncvs
155#	X11Forwarding no
156#	AllowTcpForwarding no
157#	ForceCommand cvs server