Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 92b42cb35d755f8cfe6c17d403711a536e0f0721 / . / poky / meta / recipes-connectivity / openssh / openssh / sshd_config
blob: e9eaf9315775833111658d11b5b340443a4138e9 [file] [log] [blame]
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame^]1# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]2
3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
Brad Bishop1a4b7ee2018-12-16 17:11:34 -0800[diff] [blame]10# possible, but leave them commented. Uncommented options override the
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]11# default value.
12
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame^]13Include /etc/ssh/sshd_config.d/*.conf
14
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]15#Port 22
16#AddressFamily any
17#ListenAddress 0.0.0.0
18#ListenAddress ::
19
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]20#HostKey /etc/ssh/ssh_host_rsa_key
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]21#HostKey /etc/ssh/ssh_host_ecdsa_key
22#HostKey /etc/ssh/ssh_host_ed25519_key
23
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]24# Ciphers and keying
25#RekeyLimit default none
26
27# Logging
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]28#SyslogFacility AUTH
29#LogLevel INFO
30
31# Authentication:
32
33#LoginGraceTime 2m
Brad Bishop1a4b7ee2018-12-16 17:11:34 -0800[diff] [blame]34#PermitRootLogin prohibit-password
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]35#StrictModes yes
36#MaxAuthTries 6
37#MaxSessions 10
38
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]39#PubkeyAuthentication yes
40
41# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
42# but this is overridden so installations will only check .ssh/authorized_keys
Brad Bishop1a4b7ee2018-12-16 17:11:34 -0800[diff] [blame]43AuthorizedKeysFile .ssh/authorized_keys
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]44
45#AuthorizedPrincipalsFile none
46
47#AuthorizedKeysCommand none
48#AuthorizedKeysCommandUser nobody
49
50# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]51#HostbasedAuthentication no
52# Change to yes if you don't trust ~/.ssh/known_hosts for
Brad Bishop1a4b7ee2018-12-16 17:11:34 -0800[diff] [blame]53# HostbasedAuthentication
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]54#IgnoreUserKnownHosts no
55# Don't read the user's ~/.rhosts and ~/.shosts files
56#IgnoreRhosts yes
57
58# To disable tunneled clear text passwords, change to no here!
59#PasswordAuthentication yes
60#PermitEmptyPasswords no
61
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame^]62# Change to yes to enable keyboard-interactive authentication (beware issues
63# with some PAM modules and threads)
64KbdInteractiveAuthentication no
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]65
66# Kerberos options
67#KerberosAuthentication no
68#KerberosOrLocalPasswd yes
69#KerberosTicketCleanup yes
70#KerberosGetAFSToken no
71
72# GSSAPI options
73#GSSAPIAuthentication no
74#GSSAPICleanupCredentials yes
75
76# Set this to 'yes' to enable PAM authentication, account processing,
77# and session processing. If this is enabled, PAM authentication will
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame^]78# be allowed through the KbdInteractiveAuthentication and
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]79# PasswordAuthentication. Depending on your PAM configuration,
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame^]80# PAM authentication via KbdInteractiveAuthentication may bypass
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]81# the setting of "PermitRootLogin without-password".
82# If you just want the PAM account and session checks to run without
83# PAM authentication, then enable this but set PasswordAuthentication
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame^]84# and KbdInteractiveAuthentication to 'no'.
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]85#UsePAM no
86
87#AllowAgentForwarding yes
88#AllowTcpForwarding yes
89#GatewayPorts no
90#X11Forwarding no
91#X11DisplayOffset 10
92#X11UseLocalhost yes
93#PermitTTY yes
94#PrintMotd yes
95#PrintLastLog yes
96#TCPKeepAlive yes
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]97#PermitUserEnvironment no
98Compression no
99ClientAliveInterval 15
100ClientAliveCountMax 4
Brad Bishop1a4b7ee2018-12-16 17:11:34 -0800[diff] [blame]101#UseDNS no
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]102#PidFile /var/run/sshd.pid
103#MaxStartups 10:30:100
104#PermitTunnel no
105#ChrootDirectory none
106#VersionAddendum none
107
108# no default banner path
109#Banner none
110
111# override default of no subsystems
112Subsystem sftp /usr/libexec/sftp-server
113
114# Example of overriding settings on a per-user basis
115#Match User anoncvs
116# X11Forwarding no
117# AllowTcpForwarding no
118# PermitTTY no
119# ForceCommand cvs server