Sshd config
From FreeBSDwiki
(Difference between revisions)
(8.2 sshd_config default file) |
|||
| Line 3: | Line 3: | ||
Example sshd_config file, from a newly installed 8.2-RELEASE system: | Example sshd_config file, from a newly installed 8.2-RELEASE system: | ||
| − | # $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ | + | # $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ |
| − | # $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.4.1 2010/12/21 17:09:25 kensmith Exp $ | + | # $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.4.1 2010/12/21 17:09:25 kensmith Exp $ |
| − | + | # | |
| − | # This is the sshd server system-wide configuration file. See | + | # This is the sshd server system-wide configuration file. See |
| − | # sshd_config(5) for more information. | + | # sshd_config(5) for more information. |
| − | + | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | |
| − | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | + | # |
| − | + | # The strategy used for options in the default sshd_config shipped with | |
| − | # The strategy used for options in the default sshd_config shipped with | + | # OpenSSH is to specify options with their default value where |
| − | # OpenSSH is to specify options with their default value where | + | # possible, but leave them commented. Uncommented options change a |
| − | # possible, but leave them commented. Uncommented options change a | + | # default value. |
| − | # default value. | + | |
| − | + | # Note that some of FreeBSD's defaults differ from OpenBSD's, and | |
| − | # Note that some of FreeBSD's defaults differ from OpenBSD's, and | + | # FreeBSD has a few additional options. |
| − | # FreeBSD has a few additional options. | + | |
| − | + | #VersionAddendum FreeBSD-20100308 | |
| − | #VersionAddendum FreeBSD-20100308 | + | |
| − | + | #Port 22 | |
| − | #Port 22 | + | #AddressFamily any |
| − | #AddressFamily any | + | #ListenAddress 0.0.0.0 |
| − | #ListenAddress 0.0.0.0 | + | #ListenAddress :: |
| − | #ListenAddress :: | + | |
| − | + | # The default requires explicit activation of protocol 1 | |
| − | # The default requires explicit activation of protocol 1 | + | #Protocol 2 |
| − | #Protocol 2 | + | |
| − | + | # HostKey for protocol version 1 | |
| − | # HostKey for protocol version 1 | + | #HostKey /etc/ssh/ssh_host_key |
| − | #HostKey /etc/ssh/ssh_host_key | + | # HostKeys for protocol version 2 |
| − | # HostKeys for protocol version 2 | + | #HostKey /etc/ssh/ssh_host_rsa_key |
| − | #HostKey /etc/ssh/ssh_host_rsa_key | + | #HostKey /etc/ssh/ssh_host_dsa_key |
| − | #HostKey /etc/ssh/ssh_host_dsa_key | + | |
| − | + | # Lifetime and size of ephemeral version 1 server key | |
| − | # Lifetime and size of ephemeral version 1 server key | + | #KeyRegenerationInterval 1h |
| − | #KeyRegenerationInterval 1h | + | #ServerKeyBits 1024 |
| − | #ServerKeyBits 1024 | + | |
| − | + | # Logging | |
| − | # Logging | + | # obsoletes QuietMode and FascistLogging |
| − | # obsoletes QuietMode and FascistLogging | + | #SyslogFacility AUTH |
| − | #SyslogFacility AUTH | + | #LogLevel INFO |
| − | #LogLevel INFO | + | |
| − | + | # Authentication: | |
| − | # Authentication: | + | |
| − | + | #LoginGraceTime 2m | |
| − | #LoginGraceTime 2m | + | #PermitRootLogin no |
| − | #PermitRootLogin no | + | #StrictModes yes |
| − | #StrictModes yes | + | #MaxAuthTries 6 |
| − | #MaxAuthTries 6 | + | #MaxSessions 10 |
| − | #MaxSessions 10 | + | |
| − | + | #RSAAuthentication yes | |
| − | #RSAAuthentication yes | + | #PubkeyAuthentication yes |
| − | #PubkeyAuthentication yes | + | #AuthorizedKeysFile .ssh/authorized_keys |
| − | #AuthorizedKeysFile .ssh/authorized_keys | + | |
| − | + | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
| − | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | + | #RhostsRSAAuthentication no |
| − | #RhostsRSAAuthentication no | + | # similar for protocol version 2 |
| − | # similar for protocol version 2 | + | #HostbasedAuthentication no |
| − | #HostbasedAuthentication no | + | # Change to yes if you don't trust ~/.ssh/known_hosts for |
| − | # Change to yes if you don't trust ~/.ssh/known_hosts for | + | # RhostsRSAAuthentication and HostbasedAuthentication |
| − | # RhostsRSAAuthentication and HostbasedAuthentication | + | #IgnoreUserKnownHosts no |
| − | #IgnoreUserKnownHosts no | + | # Don't read the user's ~/.rhosts and ~/.shosts files |
| − | # Don't read the user's ~/.rhosts and ~/.shosts files | + | #IgnoreRhosts yes |
| − | #IgnoreRhosts yes | + | |
| − | + | # Change to yes to enable built-in password authentication. | |
| − | # Change to yes to enable built-in password authentication. | + | #PasswordAuthentication no |
| − | #PasswordAuthentication no | + | #PermitEmptyPasswords no |
| − | #PermitEmptyPasswords no | + | |
| − | + | # Change to no to disable PAM authentication | |
| − | # Change to no to disable PAM authentication | + | #ChallengeResponseAuthentication yes |
| − | #ChallengeResponseAuthentication yes | + | |
| − | + | # Kerberos options | |
| − | # Kerberos options | + | #KerberosAuthentication no |
| − | #KerberosAuthentication no | + | #KerberosOrLocalPasswd yes |
| − | #KerberosOrLocalPasswd yes | + | #KerberosTicketCleanup yes |
| − | #KerberosTicketCleanup yes | + | #KerberosGetAFSToken no |
| − | #KerberosGetAFSToken no | + | |
| − | + | # GSSAPI options | |
| − | # GSSAPI options | + | #GSSAPIAuthentication no |
| − | #GSSAPIAuthentication no | + | #GSSAPICleanupCredentials yes |
| − | #GSSAPICleanupCredentials yes | + | |
| − | + | # Set this to 'no' to disable PAM authentication, account processing, | |
| − | # Set this to 'no' to disable PAM authentication, account processing, | + | # and session processing. If this is enabled, PAM authentication will |
| − | # and session processing. If this is enabled, PAM authentication will | + | # be allowed through the ChallengeResponseAuthentication and |
| − | # be allowed through the ChallengeResponseAuthentication and | + | # PasswordAuthentication. Depending on your PAM configuration, |
| − | # PasswordAuthentication. Depending on your PAM configuration, | + | # PAM authentication via ChallengeResponseAuthentication may bypass |
| − | # PAM authentication via ChallengeResponseAuthentication may bypass | + | # the setting of "PermitRootLogin without-password". |
| − | # the setting of "PermitRootLogin without-password". | + | # If you just want the PAM account and session checks to run without |
| − | # If you just want the PAM account and session checks to run without | + | # PAM authentication, then enable this but set PasswordAuthentication |
| − | # PAM authentication, then enable this but set PasswordAuthentication | + | # and ChallengeResponseAuthentication to 'no'. |
| − | # and ChallengeResponseAuthentication to 'no'. | + | #UsePAM yes |
| − | #UsePAM yes | + | |
| − | + | #AllowAgentForwarding yes | |
| − | #AllowAgentForwarding yes | + | #AllowTcpForwarding yes |
| − | #AllowTcpForwarding yes | + | #GatewayPorts no |
| − | #GatewayPorts no | + | #X11Forwarding yes |
| − | #X11Forwarding yes | + | #X11DisplayOffset 10 |
| − | #X11DisplayOffset 10 | + | #X11UseLocalhost yes |
| − | #X11UseLocalhost yes | + | #PrintMotd yes |
| − | #PrintMotd yes | + | #PrintLastLog yes |
| − | #PrintLastLog yes | + | #TCPKeepAlive yes |
| − | #TCPKeepAlive yes | + | #UseLogin no |
| − | #UseLogin no | + | #UsePrivilegeSeparation yes |
| − | #UsePrivilegeSeparation yes | + | #PermitUserEnvironment no |
| − | #PermitUserEnvironment no | + | #Compression delayed |
| − | #Compression delayed | + | #ClientAliveInterval 0 |
| − | #ClientAliveInterval 0 | + | #ClientAliveCountMax 3 |
| − | #ClientAliveCountMax 3 | + | #UseDNS yes |
| − | #UseDNS yes | + | #PidFile /var/run/sshd.pid |
| − | #PidFile /var/run/sshd.pid | + | #MaxStartups 10 |
| − | #MaxStartups 10 | + | #PermitTunnel no |
| − | #PermitTunnel no | + | #ChrootDirectory none |
| − | #ChrootDirectory none | + | |
| − | + | # no default banner path | |
| − | # no default banner path | + | #Banner none |
| − | #Banner none | + | |
| − | + | # override default of no subsystems | |
| − | # override default of no subsystems | + | Subsystem sftp /usr/libexec/sftp-server |
| − | Subsystem sftp /usr/libexec/sftp-server | + | # |
| − | + | # Example of overriding settings on a per-user basis | |
| − | # Example of overriding settings on a per-user basis | + | #Match User anoncvs |
| − | #Match User anoncvs | + | # X11Forwarding no |
| − | # X11Forwarding no | + | # AllowTcpForwarding no |
| − | # AllowTcpForwarding no | + | # ForceCommand cvs server |
| − | # ForceCommand cvs server | + | |
[[Category:Important Config Files]] | [[Category:Important Config Files]] | ||
Revision as of 15:34, 24 May 2011
Whenever you edit sshd_config, you'll want to restart sshd: /etc/rc.d/sshd restart
Example sshd_config file, from a newly installed 8.2-RELEASE system:
# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.4.1 2010/12/21 17:09:25 kensmith Exp $ # # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20100308 #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. #PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
