NetBSD/crypto/dist/ssh/sshd_config

#	$NetBSD: sshd_config,v 1.23 2006/02/04 22:32:14 christos Exp $
#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

# Slow machines or long keys may require more processing time.
LoginGraceTime 600
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
UsePam yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server
resolve conflicts 2006-02-05 01:32:13 +03:00			`# $NetBSD: sshd_config,v 1.23 2006/02/04 22:32:14 christos Exp $`
			`# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
sync with openssh 3.3. local mods included to make it compile with openssl 0.9.6d. 2002-06-24 09:48:24 +04:00			`# This is the sshd server system-wide configuration file. See`
			`# sshd_config(5) for more information.`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`# The strategy used for options in the default sshd_config shipped with`
			`# OpenSSH is to specify options with their default value where`
			`# possible, but leave them commented. Uncommented options change a`
			`# default value.`

			`#Port 22`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00			`#Protocol 2,1`
resolve conflicts. 2005-04-23 20:53:28 +04:00			`#AddressFamily any`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00			`#ListenAddress 0.0.0.0`
			`#ListenAddress ::`
upgrade to openssh 2.9, around 2001/6/24 (from openbsd usr.bin/ssh). - authorized_keys2 and known_hosts2 are obsoleted, and integrated into those without "2". - file name change, /etc/primes -> /etc/moduli - cleanups 2001-06-23 23:37:38 +04:00
			`# HostKey for protocol version 1`
move sshd config files to /etc/ssh 2002-03-11 07:57:55 +03:00			`#HostKey /etc/ssh/ssh_host_key`
upgrade to openssh 2.9, around 2001/6/24 (from openbsd usr.bin/ssh). - authorized_keys2 and known_hosts2 are obsoleted, and integrated into those without "2". - file name change, /etc/primes -> /etc/moduli - cleanups 2001-06-23 23:37:38 +04:00			`# HostKeys for protocol version 2`
move sshd config files to /etc/ssh 2002-03-11 07:57:55 +03:00			`#HostKey /etc/ssh/ssh_host_rsa_key`
			`#HostKey /etc/ssh/ssh_host_dsa_key`
upgrade to openssh 2.9, around 2001/6/24 (from openbsd usr.bin/ssh). - authorized_keys2 and known_hosts2 are obsoleted, and integrated into those without "2". - file name change, /etc/primes -> /etc/moduli - cleanups 2001-06-23 23:37:38 +04:00
			`# Lifetime and size of ephemeral version 1 server key`
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`#KeyRegenerationInterval 1h`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#ServerKeyBits 768`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
			`# Logging`
resolve conflicts 2006-02-05 01:32:13 +03:00			`# obsoletes QuietMode and FascistLogging`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#SyslogFacility AUTH`
			`#LogLevel INFO`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
upgrade to openssh 2.9, around 2001/6/24 (from openbsd usr.bin/ssh). - authorized_keys2 and known_hosts2 are obsoleted, and integrated into those without "2". - file name change, /etc/primes -> /etc/moduli - cleanups 2001-06-23 23:37:38 +04:00			`# Authentication:`

Set LoginGraceTime back to 600 like it used to be. This should help slow machines with long keys to still work like they did with NetBSD 1.6 and before. 2004-05-01 10:06:33 +04:00			`# Slow machines or long keys may require more processing time.`
			`LoginGraceTime 600`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#PermitRootLogin no`
			`#StrictModes yes`
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`#MaxAuthTries 6`
upgrade to openssh 2.9, around 2001/6/24 (from openbsd usr.bin/ssh). - authorized_keys2 and known_hosts2 are obsoleted, and integrated into those without "2". - file name change, /etc/primes -> /etc/moduli - cleanups 2001-06-23 23:37:38 +04:00
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#RSAAuthentication yes`
			`#PubkeyAuthentication yes`
			`#AuthorizedKeysFile .ssh/authorized_keys`
upgrade to openssh 2.9, around 2001/6/24 (from openbsd usr.bin/ssh). - authorized_keys2 and known_hosts2 are obsoleted, and integrated into those without "2". - file name change, /etc/primes -> /etc/moduli - cleanups 2001-06-23 23:37:38 +04:00
move sshd config files to /etc/ssh 2002-03-11 07:57:55 +03:00			`# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#RhostsRSAAuthentication no`
upgrade to openssh (openbsd usr.bin/ssh) 2.9, around 5/15/2001. 2001-05-15 19:26:07 +04:00			`# similar for protocol version 2`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#HostbasedAuthentication no`
			`# Change to yes if you don't trust ~/.ssh/known_hosts for`
			`# RhostsRSAAuthentication and HostbasedAuthentication`
			`#IgnoreUserKnownHosts no`
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`# Don't read the user's ~/.rhosts and ~/.shosts files`
			`#IgnoreRhosts yes`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
			`# To disable tunneled clear text passwords, change to no here!`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#PasswordAuthentication yes`
			`#PermitEmptyPasswords no`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`# Change to no to disable s/key passwords`
			`#ChallengeResponseAuthentication yes`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`# Kerberos options`
sync with 3.2.1 as of 5/13. NOTE: privilege separation is turned off by default as it seems there still are issues with setsid(). 2002-05-13 06:58:17 +04:00			`#KerberosAuthentication no`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00			`#KerberosOrLocalPasswd yes`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#KerberosTicketCleanup yes`
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`#KerberosGetAFSToken no`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`# GSSAPI options`
			`#GSSAPIAuthentication no`
			`#GSSAPICleanupCredentials yes`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`#AllowTcpForwarding yes`
			`#GatewayPorts no`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#X11Forwarding no`
			`#X11DisplayOffset 10`
			`#X11UseLocalhost yes`
			`#PrintMotd yes`
			`#PrintLastLog yes`
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`#TCPKeepAlive yes`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00			`#UseLogin no`
turn on privilege separation, as 3.2.1 default do. requires sshd uid/gid as well as /var/empty directory. 2002-05-15 03:33:07 +04:00			`#UsePrivilegeSeparation yes`
Add UsePam yes 2005-02-28 05:35:10 +03:00			`UsePam yes`
upgrade to openssh 3.5. major changes include: - krb4/5 support for privsep (krb5 diff was already applied) includes fake implementaation of getpeereid() from openssh-portable, which does nothing useful - need improvement. 2002-10-01 18:07:26 +04:00			`#PermitUserEnvironment no`
resolve conflicts 2006-02-05 01:32:13 +03:00			`#Compression delayed`
Resolve conflicts. 2005-02-13 08:57:25 +03:00			`#ClientAliveInterval 0`
			`#ClientAliveCountMax 3`
			`#UseDNS yes`
			`#PidFile /var/run/sshd.pid`
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`#MaxStartups 10`
resolve conflicts 2006-02-05 01:32:13 +03:00			`#PermitTunnel no`
Resolve conflicts. 2005-02-13 08:57:25 +03:00
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`# no default banner path`
			`#Banner /some/path`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00
sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc (openbsd usr.bin/ssh is using /etc/ssh) 2002-03-08 05:00:50 +03:00			`# override default of no subsystems`
OpenSSH 2.3.1 as of 2001/2/8 2001-02-07 19:46:40 +03:00			`Subsystem sftp /usr/libexec/sftp-server`