# Package generated configuration file
# See the sshd_config(5) manpage for details

#-----------------------------
# Daemon
#-----------------------------

# What ports, IPs and protocols we listen for
Port 22

# Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
# 
#    ListenAddress host|IPv4_addr|IPv6_addr
#    ListenAddress host|IPv4_addr:port
#    ListenAddress [host|IPv6_addr]:port
# 
# If port is not specified, sshd will listen on the address and all Port options specified.  The default
# is to listen on all local addresses.  Multiple ListenAddress options are permitted.
#
#    ListenAddress ::
#    ListenAddress 0.0.0.0
#    ListenAddress 159.69.72.24
#    ListenAddress 2a01:4f8:231:171f::2
#
ListenAddress ::
ListenAddress 0.0.0.0

# Specifies the protocol versions sshd(8) supports.
# The possible values are ‘1’ , `2' and ‘1,2’.
# The default is ‘2’.
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#
# Note:
#    Deprecated option KeyRegenerationInterval
#    Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups 10:30:100

# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries 6

# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions 10


#-----------------------------
# Authentication
#-----------------------------

# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
#
# Note: (Release 7.5)
#    Deprecated option UsePrivilegeSeparation
#    Privilege separation has been on by default for almost 15 years
#    sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation yes

# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120

# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
PermitRootLogin yes
#PermitRootLogin without-password
#PermitRootLogin no

# Specifies whether sshd(8) should check file modes and ownership of the 
# user's files and home directory before accepting login.  This is normally 
# desirable because novices sometimes accidentally leave their directory or 
# files world-writable. Note that this does not apply to ChrootDirectory, 
# whose permissions and ownership are checked unconditionally.  
# The default is “yes”.
StrictModes yes

# Specifies whether pure RSA authentication is allowed. This option 
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
#    Deprecated option RSAAuthentication
#
#RSAAuthentication yes

# Specifies whether public key authentication is allowed. Note that this 
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication yes

# Specifies the file that contains the public keys that can be used for 
# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced 
# by a literal '%', %h is replaced by the home directory of the user being 
# authenticated, and %u is replaced by the username of that user. After 
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
# to the user's home directory. Multiple files may be listed, separated by 
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile	%h/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication no

# When password authentication is allowed, it specifies whether the 
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no

# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
#    Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no

# similar for protocol version 2
HostbasedAuthentication no

# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
# during RhostsRSAAuthentication or HostbasedAuthentication. 
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers, 
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
#AllowUsers back chris sysadm cityslang christoph

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution. 
# Note also, that if this is enabled, X11Forwarding will be disabled 
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after 
# authentication.
# The default is “no”.
#UseLogin no


#-----------------------------
# Cryptography
#-----------------------------

# Specifies the available KEX (Key Exchange) algorithms.
# The default is:
## curve25519-sha256@libssh.org,
## ecdh-sha2-nistp256,
## ecdh-sha2-nistp384,
## ecdh-sha2-nistp521,
## diffie-hellman-group-exchange-sha256,
## diffie-hellman-group14-sha1.
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

# Specifies the ciphers allowed for protocol version 2.
# The default is:
## aes128-ctr,
## aes192-ctr,
## aes256-ctr,
## aes128-gcm@openssh.com,
## aes256-gcm@openssh.com,
## chacha20-poly1305@openssh.com.
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

# Specifies the available MAC (message authentication code) algorithms.
# The default is:
## umac-64-etm@openssh.com,
## umac-128-etm@openssh.com,
## hmac-sha2-256-etm@openssh.com,
## hmac-sha2-512-etm@openssh.com,
## umac-64@openssh.com,
## umac-128@openssh.com,
## hmac-sha2-256,
## hmac-sha2-512.
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com


#-----------------------------
# Logging
#-----------------------------

# Gives the facility code that is used when logging messages from sshd(8).  
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
# The default is AUTH.
SyslogFacility AUTH

# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO


#-----------------------------
# Behavior
#-----------------------------

# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no

# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net

# Specifies whether sshd(8) should print /etc/motd when a user logs in 
# interactively. (On some systems it is also printed by the shell, 
# /etc/profile, or equivalent.)  
# The default is “yes”.
PrintMotd no

# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*

# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server

# Specifies whether sshd(8) should look up the remote host name and check 
# that the resolved host name for the remote IP address maps back to the 
# very same IP address.
# The default is “yes”.
UseDNS no

# Specifies whether X11 forwarding is permitted. The argument must be 
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes

# Specifies the first display number available for sshd(8)'s X11 
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10

# Specifies whether the system should send TCP keepalive messages to the 
# other side. If they are sent, death of the connection or crash of one 
# of the machines will be properly noticed.  However, this means
# that connections will die if the route is down temporarily, and some 
# people find it annoying. On the other hand, if TCP keepalives are not 
# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server 
# will notice if the network goes down or the client host crashes. This 
# avoids infinitely hanging sessions.
TCPKeepAlive yes

#Specifies whether sshd(8) should print the date and time of the last 
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes


#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


#-----------------------------
# GSSAPI options
#-----------------------------

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes





