X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/3c0ef6268ff5921062694dbd2cbb80f558aa8d40..9f2c8cb950fea61c599edeb9721aca66f4bd61f6:/openssh/sshd_config diff --git a/openssh/sshd_config b/openssh/sshd_config index e1a052a..f1f4a10 100644 --- a/openssh/sshd_config +++ b/openssh/sshd_config @@ -1,80 +1,145 @@ -# $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring Exp $ +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin -# This is the sshd server system-wide configuration file. See sshd(8) -# for more information. +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. -Port 22 -#Protocol 2,1 +#Port 22 +#AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + # HostKey for protocol version 1 -HostKey /etc/ssh_host_key +#HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh_host_rsa_key -HostKey /etc/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 # Logging -SyslogFacility AUTH -LogLevel INFO -#obsoletes QuietMode and FascistLogging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO # Authentication: -LoginGraceTime 600 -PermitRootLogin yes -StrictModes yes +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys -# rhosts authentication should not be used -RhostsAuthentication no -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no # similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication yes -PermitEmptyPasswords no - -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no +#PasswordAuthentication yes +#PermitEmptyPasswords no -# Uncomment to enable PAM keyboard-interactive authentication -# Warning: enabling this may bypass the setting of 'PasswordAuthentication' -#PAMAuthenticationViaKbdInt yes +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes -# To change Kerberos options +# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# Session hooks: if allowed, specify the commands to execute +#AllowSessionHooks yes +#SessionHookStartupCmd /bin/true +#SessionHookShutdownCmd /bin/true + +# GSSAPI options +#GSSAPIAuthentication yes +#GSSAPIDelegateCredentials yes +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +# Set to 'yes' to allow the PAM stack to change the user name during +# calls to authentication +#PermitPAMUserChange no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no -X11Forwarding no -X11DisplayOffset 10 -PrintMotd yes -#PrintLastLog no -KeepAlive yes -#UseLogin no +# disable hpn performance boosts. +#HPNDisabled no -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 -Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server