sshd_config (3223B)
1 # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ 2 3 # This is the sshd server system-wide configuration file. See 4 # sshd_config(5) for more information. 5 6 # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 7 8 # The strategy used for options in the default sshd_config shipped with 9 # OpenSSH is to specify options with their default value where 10 # possible, but leave them commented. Uncommented options override the 11 # default value. 12 13 #Port 22 14 #AddressFamily any 15 #ListenAddress 0.0.0.0 16 #ListenAddress :: 17 18 #HostKey /etc/ssh/ssh_host_rsa_key 19 #HostKey /etc/ssh/ssh_host_ecdsa_key 20 #HostKey /etc/ssh/ssh_host_ed25519_key 21 22 # Ciphers and keying 23 #RekeyLimit default none 24 25 # Logging 26 #SyslogFacility AUTH 27 #LogLevel INFO 28 29 # Authentication: 30 31 #LoginGraceTime 2m 32 PermitRootLogin prohibit-password 33 #StrictModes yes 34 #MaxAuthTries 6 35 #MaxSessions 10 36 37 #PubkeyAuthentication yes 38 39 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 40 # but this is overridden so installations will only check .ssh/authorized_keys 41 AuthorizedKeysFile /current/conf/authorized_keys/%u .ssh/authorized_keys 42 43 #AuthorizedPrincipalsFile none 44 45 #AuthorizedKeysCommand none 46 #AuthorizedKeysCommandUser nobody 47 48 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49 #HostbasedAuthentication no 50 # Change to yes if you don't trust ~/.ssh/known_hosts for 51 # HostbasedAuthentication 52 #IgnoreUserKnownHosts no 53 # Don't read the user's ~/.rhosts and ~/.shosts files 54 #IgnoreRhosts yes 55 56 # To disable tunneled clear text passwords, change to no here! 57 #PasswordAuthentication yes 58 #PermitEmptyPasswords no 59 60 # Change to no to disable s/key passwords 61 #KbdInteractiveAuthentication yes 62 63 # Kerberos options 64 #KerberosAuthentication no 65 #KerberosOrLocalPasswd yes 66 #KerberosTicketCleanup yes 67 #KerberosGetAFSToken no 68 69 # GSSAPI options 70 #GSSAPIAuthentication no 71 #GSSAPICleanupCredentials yes 72 73 # Set this to 'yes' to enable PAM authentication, account processing, 74 # and session processing. If this is enabled, PAM authentication will 75 # be allowed through the KbdInteractiveAuthentication and 76 # PasswordAuthentication. Depending on your PAM configuration, 77 # PAM authentication via KbdInteractiveAuthentication may bypass 78 # the setting of "PermitRootLogin without-password". 79 # If you just want the PAM account and session checks to run without 80 # PAM authentication, then enable this but set PasswordAuthentication 81 # and KbdInteractiveAuthentication to 'no'. 82 #UsePAM no 83 84 #AllowAgentForwarding yes 85 # Feel free to re-enable these if your use case requires them. 86 AllowTcpForwarding no 87 GatewayPorts no 88 X11Forwarding no 89 #X11DisplayOffset 10 90 #X11UseLocalhost yes 91 #PermitTTY yes 92 #PrintMotd yes 93 #PrintLastLog yes 94 #TCPKeepAlive yes 95 #PermitUserEnvironment no 96 #Compression delayed 97 #ClientAliveInterval 0 98 #ClientAliveCountMax 3 99 #UseDNS no 100 #PidFile /run/sshd.pid 101 #MaxStartups 10:30:100 102 #PermitTunnel no 103 #ChrootDirectory none 104 #VersionAddendum none 105 106 # no default banner path 107 #Banner none 108 109 # override default of no subsystems 110 Subsystem sftp internal-sftp 111 112 # Example of overriding settings on a per-user basis 113 #Match User anoncvs 114 # X11Forwarding no 115 # AllowTcpForwarding no 116 # PermitTTY no 117 # ForceCommand cvs server