xref: /openbsd-src/usr.bin/ssh/sshd_config (revision b67e94d27b390fac1b20ffd8d57eaca202e82245) 
1#	$OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# The strategy used for options in the default sshd_config shipped with
7# OpenSSH is to specify options with their default value where
8# possible, but leave them commented.  Uncommented options override the
9# default value.
10
11#Port 22
12#AddressFamily any
13#ListenAddress 0.0.0.0
14#ListenAddress ::
15
16#HostKey /etc/ssh/ssh_host_rsa_key
17#HostKey /etc/ssh/ssh_host_ecdsa_key
18#HostKey /etc/ssh/ssh_host_ed25519_key
19
20# Ciphers and keying
21#RekeyLimit default none
22
23# Logging
24#SyslogFacility AUTH
25#LogLevel INFO
26
27# Authentication:
28
29#LoginGraceTime 2m
30#PermitRootLogin prohibit-password
31#StrictModes yes
32#MaxAuthTries 6
33#MaxSessions 10
34
35#PubkeyAuthentication yes
36
37# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
38# but this is overridden so installations will only check .ssh/authorized_keys
39AuthorizedKeysFile	.ssh/authorized_keys
40
41#AuthorizedPrincipalsFile none
42
43#AuthorizedKeysCommand none
44#AuthorizedKeysCommandUser nobody
45
46# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
47#HostbasedAuthentication no
48# Change to yes if you don't trust ~/.ssh/known_hosts for
49# HostbasedAuthentication
50#IgnoreUserKnownHosts no
51# Don't read the user's ~/.rhosts and ~/.shosts files
52#IgnoreRhosts yes
53
54# To disable tunneled clear text passwords, change to "no" here!
55#PasswordAuthentication yes
56#PermitEmptyPasswords no
57
58# Change to "no" to disable keyboard-interactive authentication.  Depending on
59# the system's configuration, this may involve passwords, challenge-response,
60# one-time passwords or some combination of these and other methods.
61#KbdInteractiveAuthentication yes
62
63#AllowAgentForwarding yes
64#AllowTcpForwarding yes
65#GatewayPorts no
66#X11Forwarding no
67#X11DisplayOffset 10
68#X11UseLocalhost yes
69#PermitTTY yes
70#PrintMotd yes
71#PrintLastLog yes
72#TCPKeepAlive yes
73#PermitUserEnvironment no
74#Compression delayed
75#ClientAliveInterval 0
76#ClientAliveCountMax 3
77#UseDNS no
78#PidFile /var/run/sshd.pid
79#MaxStartups 10:30:100
80#PermitTunnel no
81#ChrootDirectory none
82#VersionAddendum none
83
84# no default banner path
85#Banner none
86
87# override default of no subsystems
88Subsystem	sftp	/usr/libexec/sftp-server
89
90# Example of overriding settings on a per-user basis
91#Match User anoncvs
92#	X11Forwarding no
93#	AllowTcpForwarding no
94#	PermitTTY no
95#	ForceCommand cvs server
96