freebsd-dev/crypto/openssh/sshd_config

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
#	$FreeBSD$

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#VersionAddendum FreeBSD-20180909

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
Vendor import of OpenSSH 7.8p1. 2018-08-28 10:47:58 +00:00			`# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $`
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs 2002-06-29 10:55:18 +00:00			`# $FreeBSD$`
Fix conflicts for OpenSSH 2.9. 2001-05-04 04:14:23 +00:00
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs 2002-06-23 16:09:08 +00:00			`# This is the sshd server system-wide configuration file. See`
			`# sshd_config(5) for more information.`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00
Forcibly revert to mainline. 2002-06-27 22:42:11 +00:00			`# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin`

Fix conflicts. 2002-03-18 10:09:43 +00:00			`# The strategy used for options in the default sshd_config shipped with`
			`# OpenSSH is to specify options with their default value where`
Vendor import of OpenSSH 5.9p1 2011-09-28 08:14:41 +00:00			`# possible, but leave them commented. Uncommented options override the`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`# default value.`

Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs 2002-06-29 10:55:18 +00:00			`# Note that some of FreeBSD's defaults differ from OpenBSD's, and`
			`# FreeBSD has a few additional options.`

Fix conflicts. 2002-03-18 10:09:43 +00:00			`#Port 22`
Resolve conflicts. 2005-06-05 15:46:09 +00:00			`#AddressFamily any`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00			`#ListenAddress 0.0.0.0`
			`#ListenAddress ::`
Fix conflicts. 2002-03-18 10:09:43 +00:00
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00			`#HostKey /etc/ssh/ssh_host_rsa_key`
Vendor import of OpenSSH 5.7p1 2011-02-17 11:47:40 +00:00			`#HostKey /etc/ssh/ssh_host_ecdsa_key`
Vendor import of OpenSSH 6.5p1. 2014-01-30 10:56:49 +00:00			`#HostKey /etc/ssh/ssh_host_ed25519_key`
Fix conflicts. 2002-03-18 10:09:43 +00:00
Vendor import of OpenSSH 6.3p1 2013-09-18 17:27:38 +00:00			`# Ciphers and keying`
			`#RekeyLimit default none`

Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00			`# Logging`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#SyslogFacility AUTH`
			`#LogLevel INFO`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00
Fix conflicts. 2002-03-18 10:09:43 +00:00			`# Authentication:`

Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00			`#LoginGraceTime 2m`
Document our modified default value for PermitRootLogin. 2016-02-02 10:02:38 +00:00			`#PermitRootLogin no`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#StrictModes yes`
Resolve conflicts 2004-10-28 16:11:31 +00:00			`#MaxAuthTries 6`
Vendor import of OpenSSH 5.1p1 2008-07-23 09:33:08 +00:00			`#MaxSessions 10`
Fix conflicts. 2002-03-18 10:09:43 +00:00
			`#PubkeyAuthentication yes`
Vendor import of OpenSSH 5.9p1 2011-09-28 08:14:41 +00:00
			`# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2`
			`# but this is overridden so installations will only check .ssh/authorized_keys`
			`AuthorizedKeysFile .ssh/authorized_keys`
Fix conflicts. 2002-03-18 10:09:43 +00:00
Vendor import of OpenSSH 6.1p1. 2012-08-29 15:55:54 +00:00			`#AuthorizedPrincipalsFile none`

Vendor import of OpenSSH 6.2p1. 2013-03-22 11:19:48 +00:00			`#AuthorizedKeysCommand none`
			`#AuthorizedKeysCommandUser nobody`

Fix conflicts. 2002-03-18 10:09:43 +00:00			`# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts`
			`#HostbasedAuthentication no`
			`# Change to yes if you don't trust ~/.ssh/known_hosts for`
Vendor import of OpenSSH 7.4p1. 2017-01-31 12:33:47 +00:00			`# HostbasedAuthentication`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#IgnoreUserKnownHosts no`
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00			`# Don't read the user's ~/.rhosts and ~/.shosts files`
			`#IgnoreRhosts yes`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. 2004-02-19 15:53:31 +00:00			`# Change to yes to enable built-in password authentication.`
			`#PasswordAuthentication no`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#PermitEmptyPasswords no`
Fix conflicts for OpenSSH 2.9. 2001-05-04 04:14:23 +00:00
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs 2002-07-03 00:08:19 +00:00			`# Change to no to disable PAM authentication`
Back out previous commit. 2002-04-25 16:53:25 +00:00			`#ChallengeResponseAuthentication yes`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00
Fix conflicts. 2002-03-18 10:09:43 +00:00			`# Kerberos options`
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs 2002-06-23 16:09:08 +00:00			`#KerberosAuthentication no`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00			`#KerberosOrLocalPasswd yes`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#KerberosTicketCleanup yes`
Resolve conflicts. 2004-02-26 10:52:33 +00:00			`#KerberosGetAFSToken no`
Fix conflicts. 2002-03-18 10:09:43 +00:00
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00			`# GSSAPI options`
			`#GSSAPIAuthentication no`
Resolve conflicts. 2004-02-26 10:52:33 +00:00			`#GSSAPICleanupCredentials yes`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00
Merge conflicts. MFC after: 1 week 2006-09-30 13:38:06 +00:00			`# Set this to 'no' to disable PAM authentication, account processing,`
Vendor import of OpenSSH 6.5p1. 2014-01-30 10:56:49 +00:00			`# and session processing. If this is enabled, PAM authentication will`
Merge conflicts. MFC after: 1 week 2006-09-30 13:38:06 +00:00			`# be allowed through the ChallengeResponseAuthentication and`
			`# PasswordAuthentication. Depending on your PAM configuration,`
			`# PAM authentication via ChallengeResponseAuthentication may bypass`
			`# the setting of "PermitRootLogin without-password".`
			`# If you just want the PAM account and session checks to run without`
			`# PAM authentication, then enable this but set PasswordAuthentication`
			`# and ChallengeResponseAuthentication to 'no'.`
Correctly document the default value of UsePAM. 2004-03-15 18:38:29 +00:00			`#UsePAM yes`
Vendor import of OpenSSH. 2000-02-24 14:29:47 +00:00
Vendor import of OpenSSH 5.1p1 2008-07-23 09:33:08 +00:00			`#AllowAgentForwarding yes`
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00			`#AllowTcpForwarding yes`
			`#GatewayPorts no`
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs 2002-06-29 10:55:18 +00:00			`#X11Forwarding yes`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#X11DisplayOffset 10`
			`#X11UseLocalhost yes`
Vendor import of OpenSSH 6.5p1. 2014-01-30 10:56:49 +00:00			`#PermitTTY yes`
Fix conflicts. 2002-03-18 10:09:43 +00:00			`#PrintMotd yes`
			`#PrintLastLog yes`
Resolve conflicts. 2004-02-26 10:52:33 +00:00			`#TCPKeepAlive yes`
Resolve conflicts. 2002-10-29 10:16:02 +00:00			`#PermitUserEnvironment no`
Resolve conflicts. 2005-09-03 07:04:25 +00:00			`#Compression delayed`
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00			`#ClientAliveInterval 0`
			`#ClientAliveCountMax 3`
Switch UseDNS back on 2016-01-27 13:40:44 +00:00			`#UseDNS yes`
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00			`#PidFile /var/run/sshd.pid`
Vendor import of OpenSSH 6.2p1. 2013-03-22 11:19:48 +00:00			`#MaxStartups 10:30:100`
Merge conflicts. 2006-03-22 20:41:37 +00:00			`#PermitTunnel no`
Vendor import of OpenSSH 4.9p1 for posterity's sake 2008-07-23 09:28:49 +00:00			`#ChrootDirectory none`
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 2016-08-30 14:09:24 +00:00			`#UseBlacklist no`
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@) 2018-09-10 16:20:12 +00:00			`#VersionAddendum FreeBSD-20180909`
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no 2004-01-07 11:16:27 +00:00
Fix conflicts. 2002-03-18 10:09:43 +00:00			`# no default banner path`
Vendor import of OpenSSH 4.9p1 for posterity's sake 2008-07-23 09:28:49 +00:00			`#Banner none`
Fix conflicts for OpenSSH 2.9. 2001-05-04 04:14:23 +00:00
Fix conflicts. 2002-03-18 10:09:43 +00:00			`# override default of no subsystems`
Fix conflicts for OpenSSH 2.9. 2001-05-04 04:14:23 +00:00			`Subsystem sftp /usr/libexec/sftp-server`
Merge conflicts. MFC after: 1 week 2006-09-30 13:38:06 +00:00
			`# Example of overriding settings on a per-user basis`
			`#Match User anoncvs`
			`# X11Forwarding no`
			`# AllowTcpForwarding no`
Vendor import of OpenSSH 6.5p1. 2014-01-30 10:56:49 +00:00			`# PermitTTY no`
Merge conflicts. MFC after: 1 week 2006-09-30 13:38:06 +00:00			`# ForceCommand cvs server`