[gssapi-openssh.git] / openssh / sshd_config

#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# Session hooks: if allowed, specify the commands to execute
#AllowSessionHooks yes
#SessionHookStartupCmd /bin/true
#SessionHookShutdownCmd /bin/true

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPIDelegateCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

# Set to 'yes' to allow the PAM stack to change the user name during
# calls to authentication
#PermitPAMUserChange no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
 
# allow the use of the none cipher
#NoneEnabled no

# disable hpn performance boosts. 
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server


# Usage Metrics
#UsageStatsTargets usage-stats.cilogon.org:4810
#DisableUsageStats No
Commit	Line	Data
5156b1a1	1	# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
75be3237	2
	3	# This is the sshd server system-wide configuration file. See
	4	# sshd_config(5) for more information.
3c0ef626	5
	6	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	7
75be3237	8	# The strategy used for options in the default sshd_config shipped with
	9	# OpenSSH is to specify options with their default value where
	10	# possible, but leave them commented. Uncommented options change a
	11	# default value.
3c0ef626	12
75be3237	13	#Port 22
dfddba3d	14	#AddressFamily any
3c0ef626	15	#ListenAddress 0.0.0.0
	16	#ListenAddress ::
	17
fa0f0f45	18	# Disable legacy (protocol version 1) support in the server for new
	19	# installations. In future the default will change to require explicit
	20	# activation of protocol 1
	21	Protocol 2
	22
3c0ef626	23	# HostKey for protocol version 1
75be3237	24	#HostKey /etc/ssh/ssh_host_key
3c0ef626	25	# HostKeys for protocol version 2
75be3237	26	#HostKey /etc/ssh/ssh_host_rsa_key
75be3237	27	#HostKey /etc/ssh/ssh_host_dsa_key
3c0ef626	28
3c0ef626	29	# Lifetime and size of ephemeral version 1 server key
7cac2b65	30	#KeyRegenerationInterval 1h
5156b1a1	31	#ServerKeyBits 1024
3c0ef626	32
3c0ef626	33	# Logging
2ce0bfe4	34	# obsoletes QuietMode and FascistLogging
75be3237	35	#SyslogFacility AUTH
75be3237	36	#LogLevel INFO
3c0ef626	37
	38	# Authentication:
	39
7cac2b65	40	#LoginGraceTime 2m
75be3237	41	#PermitRootLogin yes
75be3237	42	#StrictModes yes
7e82606e	43	#MaxAuthTries 6
5156b1a1	44	#MaxSessions 10
3c0ef626	45
75be3237	46	#RSAAuthentication yes
	47	#PubkeyAuthentication yes
	48	#AuthorizedKeysFile .ssh/authorized_keys
3c0ef626	49
75be3237	50	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
75be3237	51	#RhostsRSAAuthentication no
3c0ef626	52	# similar for protocol version 2
75be3237	53	#HostbasedAuthentication no
	54	# Change to yes if you don't trust ~/.ssh/known_hosts for
	55	# RhostsRSAAuthentication and HostbasedAuthentication
	56	#IgnoreUserKnownHosts no
7cac2b65	57	# Don't read the user's ~/.rhosts and ~/.shosts files
7cac2b65	58	#IgnoreRhosts yes
3c0ef626	59
3c0ef626	60	# To disable tunneled clear text passwords, change to no here!
75be3237	61	#PasswordAuthentication yes
75be3237	62	#PermitEmptyPasswords no
3c0ef626	63
75be3237	64	# Change to no to disable s/key passwords
75be3237	65	#ChallengeResponseAuthentication yes
3c0ef626	66
75be3237	67	# Kerberos options
3c0ef626	68	#KerberosAuthentication no
3c0ef626	69	#KerberosOrLocalPasswd yes
75be3237	70	#KerberosTicketCleanup yes
540d72c3	71	#KerberosGetAFSToken no
75be3237	72
75be3237	73	# Session hooks: if allowed, specify the commands to execute
	74	#AllowSessionHooks yes
	75	#SessionHookStartupCmd /bin/true
	76	#SessionHookShutdownCmd /bin/true
3c0ef626	77
7cac2b65	78	# GSSAPI options
7cac2b65	79	#GSSAPIAuthentication yes
05ed7e1e	80	#GSSAPIDelegateCredentials yes
94b7f692	81	#GSSAPICleanupCredentials yes
f713db99	82	#GSSAPIStrictAcceptorCheck yes
f713db99	83	#GSSAPIKeyExchange yes
7cac2b65	84
7e82606e	85	# Set this to 'yes' to enable PAM authentication, account processing,
7e82606e	86	# and session processing. If this is enabled, PAM authentication will
30460aeb	87	# be allowed through the ChallengeResponseAuthentication and
	88	# PasswordAuthentication. Depending on your PAM configuration,
	89	# PAM authentication via ChallengeResponseAuthentication may bypass
	90	# the setting of "PermitRootLogin without-password".
	91	# If you just want the PAM account and session checks to run without
	92	# PAM authentication, then enable this but set PasswordAuthentication
	93	# and ChallengeResponseAuthentication to 'no'.
540d72c3	94	#UsePAM no
75be3237	95
d037a8b0	96	# Set to 'yes' to allow the PAM stack to change the user name during
	97	# calls to authentication
	98	#PermitPAMUserChange no
	99
5156b1a1	100	#AllowAgentForwarding yes
7cac2b65	101	#AllowTcpForwarding yes
7cac2b65	102	#GatewayPorts no
75be3237	103	#X11Forwarding no
	104	#X11DisplayOffset 10
	105	#X11UseLocalhost yes
	106	#PrintMotd yes
	107	#PrintLastLog yes
540d72c3	108	#TCPKeepAlive yes
3c0ef626	109	#UseLogin no
75be3237	110	#UsePrivilegeSeparation yes
75be3237	111	#PermitUserEnvironment no
2ce0bfe4	112	#Compression delayed
7cac2b65	113	#ClientAliveInterval 0
	114	#ClientAliveCountMax 3
	115	#UseDNS yes
	116	#PidFile /var/run/sshd.pid
75be3237	117	#MaxStartups 10
08822d99	118	#PermitTunnel no
e74dc197	119	#ChrootDirectory none
7cac2b65	120
f713db99	121	# no default banner path
e74dc197	122	#Banner none
f713db99	123
	124	# override default of no subsystems
	125	Subsystem sftp /usr/libexec/sftp-server
	126
a7213e65	127	# the following are HPN related configuration options
6df46d40	128	# tcp receive buffer polling. disable in non autotuning kernels
6df46d40	129	#TcpRcvBufPoll yes
f713db99	130
a7213e65	131	# allow the use of the none cipher
	132	#NoneEnabled no
	133
	134	# disable hpn performance boosts.
	135	#HPNDisabled no
	136
6df46d40	137	# buffer size for hpn to non-hpn connections
a7213e65	138	#HPNBufferSize 2048
30460aeb	139
a7213e65	140
30460aeb	141	# Example of overriding settings on a per-user basis
	142	#Match User anoncvs
	143	# X11Forwarding no
	144	# AllowTcpForwarding no
	145	# ForceCommand cvs server
99a78107	146
	147
	148	# Usage Metrics
	149	#UsageStatsTargets usage-stats.cilogon.org:4810
	150	#DisableUsageStats No