[ipfire-3.x.git] / openssh / sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 30s
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
MaxStartups 5
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
Commit	Line	Data
3dcb3ed8 MT	1	# This is the sshd server system-wide configuration file. See
	2	# sshd_config(5) for more information.
	3
	4	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	5
	6	# The strategy used for options in the default sshd_config shipped with
	7	# OpenSSH is to specify options with their default value where
	8	# possible, but leave them commented. Uncommented options change a
	9	# default value.
	10
f605083e	11	Port 22
3dcb3ed8 MT	12	#AddressFamily any
	13	#ListenAddress 0.0.0.0
	14	#ListenAddress ::
	15
	16	# Disable legacy (protocol version 1) support in the server for new
	17	# installations. In future the default will change to require explicit
	18	# activation of protocol 1
	19	Protocol 2
	20
	21	# HostKey for protocol version 1
	22	#HostKey /etc/ssh/ssh_host_key
	23	# HostKeys for protocol version 2
	24	#HostKey /etc/ssh/ssh_host_rsa_key
	25	#HostKey /etc/ssh/ssh_host_dsa_key
	26
	27	# Lifetime and size of ephemeral version 1 server key
	28	#KeyRegenerationInterval 1h
	29	#ServerKeyBits 1024
	30
	31	# Logging
	32	# obsoletes QuietMode and FascistLogging
	33	#SyslogFacility AUTH
	34	#LogLevel INFO
	35
	36	# Authentication:
	37
	38	LoginGraceTime 30s
	39	#PermitRootLogin yes
	40	#StrictModes yes
	41	#MaxAuthTries 6
	42	#MaxSessions 10
	43
	44	RSAAuthentication yes
	45	PubkeyAuthentication yes
	46	#AuthorizedKeysFile .ssh/authorized_keys
	47
	48	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	49	#RhostsRSAAuthentication no
	50	# similar for protocol version 2
	51	#HostbasedAuthentication no
	52	# Change to yes if you don't trust ~/.ssh/known_hosts for
	53	# RhostsRSAAuthentication and HostbasedAuthentication
	54	IgnoreUserKnownHosts yes
	55	# Don't read the user's ~/.rhosts and ~/.shosts files
	56	#IgnoreRhosts yes
	57
	58	# To disable tunneled clear text passwords, change to no here!
	59	PasswordAuthentication yes
	60	#PermitEmptyPasswords no
	61
	62	# Change to no to disable s/key passwords
	63	ChallengeResponseAuthentication yes
	64
	65	# Kerberos options
	66	#KerberosAuthentication no
	67	#KerberosOrLocalPasswd yes
	68	#KerberosTicketCleanup yes
	69	#KerberosGetAFSToken no
	70
	71	# GSSAPI options
	72	#GSSAPIAuthentication no
	73	#GSSAPICleanupCredentials yes
	74
	75	# Set this to 'yes' to enable PAM authentication, account processing,
76	# and session processing. If this is enabled, PAM authentication will
77	# be allowed through the ChallengeResponseAuthentication and
78	# PasswordAuthentication. Depending on your PAM configuration,
79	# PAM authentication via ChallengeResponseAuthentication may bypass
80	# the setting of "PermitRootLogin without-password".
81	# If you just want the PAM account and session checks to run without
82	# PAM authentication, then enable this but set PasswordAuthentication
83	# and ChallengeResponseAuthentication to 'no'.
84	UsePAM yes
85
86	#AllowAgentForwarding yes
87	AllowTcpForwarding yes
88	#GatewayPorts no
89	X11Forwarding no
90	#X11DisplayOffset 10
91	#X11UseLocalhost yes
92	#PrintMotd yes
93	#PrintLastLog yes
94	#TCPKeepAlive yes
95	#UseLogin no
96	#UsePrivilegeSeparation yes
97	#PermitUserEnvironment no
98	#Compression delayed
99	#ClientAliveInterval 0
100	#ClientAliveCountMax 3
101	#UseDNS yes
102	#PidFile /var/run/sshd.pid
103	MaxStartups 5
104	#PermitTunnel no
105	#ChrootDirectory none
106
107	# no default banner path
108	#Banner none
109
110	# override default of no subsystems
111	Subsystem sftp /usr/lib/openssh/sftp-server
112
113	# Example of overriding settings on a per-user basis
114	#Match User anoncvs
115	# X11Forwarding no
116	# AllowTcpForwarding no
117	# ForceCommand cvs server