xref: /dflybsd-src/crypto/openssh/sshd_config (revision 1c4f2fa48567f20b32ef2963ca51c6d456c4b58b) 
1#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
2#	$DragonFly: src/crypto/openssh-5/sshd_config,v 1.4 2008/09/28 03:19:46 pavalos Exp $
3
4# This is the sshd server system-wide configuration file.  See
5# sshd_config(5) for more information.
6
7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8
9# The strategy used for options in the default sshd_config shipped with
10# OpenSSH is to specify options with their default value where
11# possible, but leave them commented.  Uncommented options change a
12# default value.
13
14# Note that some of DragonFly's defaults differ from OpenBSD's, and
15# DragonFly has a few additional options.
16
17#VersionAddendum DragonFly-20090620
18
19#Port 22
20#AddressFamily any
21#ListenAddress 0.0.0.0
22#ListenAddress ::
23
24# Disable legacy (protocol version 1) support in the server for new
25# installations. In future the default will change to require explicit
26# activation of protocol 1
27Protocol 2
28
29# HostKey for protocol version 1
30#HostKey /etc/ssh/ssh_host_key
31# HostKeys for protocol version 2
32#HostKey /etc/ssh/ssh_host_rsa_key
33#HostKey /etc/ssh/ssh_host_dsa_key
34
35# Lifetime and size of ephemeral version 1 server key
36#KeyRegenerationInterval 1h
37#ServerKeyBits 1024
38
39# Logging
40# obsoletes QuietMode and FascistLogging
41#SyslogFacility AUTH
42#LogLevel INFO
43
44# Authentication:
45
46#LoginGraceTime 2m
47# only allow root logins via public key pair
48PermitRootLogin without-password
49#StrictModes yes
50#MaxAuthTries 6
51#MaxSessions 10
52
53#RSAAuthentication yes
54#PubkeyAuthentication yes
55#PermitBlacklistedKeys no
56#AuthorizedKeysFile	.ssh/authorized_keys
57
58# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
59RhostsRSAAuthentication no
60# similar for protocol version 2
61HostbasedAuthentication no
62# Change to yes if you don't trust ~/.ssh/known_hosts for
63# RhostsRSAAuthentication and HostbasedAuthentication
64#IgnoreUserKnownHosts no
65# Don't read the user's ~/.rhosts and ~/.shosts files
66IgnoreRhosts yes
67
68# To disable tunneled clear text passwords, change to no here!
69# We disable cleartext passwords by default
70PasswordAuthentication no
71#PermitEmptyPasswords no
72
73# Change to no to disable s/key and tunneled clear-text passwords
74# when PAM is enabled.  We disable this by default.  Note that
75# PAM is also disabled by default.
76ChallengeResponseAuthentication no
77
78# Kerberos options
79#KerberosAuthentication no
80#KerberosOrLocalPasswd yes
81#KerberosTicketCleanup yes
82#KerberosGetAFSToken no
83
84# GSSAPI options
85#GSSAPIAuthentication no
86#GSSAPICleanupCredentials yes
87
88# Set this to 'yes' to enable PAM authentication, account processing,
89# and session processing. If this is enabled, PAM authentication will
90# be allowed through the ChallengeResponseAuthentication and
91# PasswordAuthentication.  Depending on your PAM configuration,
92# PAM authentication via ChallengeResponseAuthentication may bypass
93# the setting of "PermitRootLogin without-password".
94# If you just want the PAM account and session checks to run without
95# PAM authentication, then enable this but set PasswordAuthentication
96# and ChallengeResponseAuthentication to 'no'.
97#UsePAM no
98
99#AllowAgentForwarding yes
100#AllowTcpForwarding yes
101#GatewayPorts no
102#X11Forwarding yes
103#X11DisplayOffset 10
104#X11UseLocalhost yes
105#PrintMotd yes
106#PrintLastLog yes
107#TCPKeepAlive yes
108#UseLogin no
109#UsePrivilegeSeparation yes
110#PermitUserEnvironment no
111#Compression delayed
112#ClientAliveInterval 0
113#ClientAliveCountMax 3
114#UseDNS yes
115#PidFile /var/run/sshd.pid
116#MaxStartups 10
117#PermitTunnel no
118#ChrootDirectory none
119
120#XAuthLocation /usr/pkg/bin/xauth
121
122# no default banner path
123#Banner none
124
125# override default of no subsystems
126Subsystem	sftp	/usr/libexec/sftp-server
127
128# the following are HPN related configuration options
129# tcp receive buffer polling. disable in non autotuning kernels
130#TcpRcvBufPoll yes
131
132# allow the use of the none cipher
133#NoneEnabled no
134
135# disable hpn performance boosts.
136#HPNDisabled no
137
138# buffer size for hpn to non-hpn connections
139#HPNBufferSize 2048
140
141
142# Example of overriding settings on a per-user basis
143#Match User anoncvs
144#	X11Forwarding no
145#	AllowTcpForwarding no
146#	ForceCommand cvs server
147