# Package generated configuration file
# See the sshd_config(5) manpage for details

#-----------------------------
# Daemon
#-----------------------------

# What ports, IPs and protocols we listen for
Port 22

# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
#ListenAddress 176.9.117.77

# Specifies the protocol versions sshd(8) supports.
# The possible values are ‘1’ , `2' and ‘1,2’.
# The default is ‘2’.
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#
# Note:
#    Deprecated option KeyRegenerationInterval
#    Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups 10:30:100

# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries 3

# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions 10


#-----------------------------
# Authentication
#-----------------------------

# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
UsePrivilegeSeparation yes

# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120

# Specifies whether root can log in using ssh(1).
# The default is "yes".
#PermitRootLogin yes
PermitRootLogin without-password
#PermitRootLogin no

# Specifies whether sshd(8) should check file modes and ownership of the 
# user's files and home directory before accepting login.  This is normally 
# desirable because novices sometimes accidentally leave their directory or 
# files world-writable. Note that this does not apply to ChrootDirectory, 
# whose permissions and ownership are checked unconditionally.  
# The default is “yes”.
StrictModes yes

# Specifies whether pure RSA authentication is allowed. This option 
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
#    Deprecated option RSAAuthentication
#
#RSAAuthentication yes

# Specifies whether public key authentication is allowed. Note that this 
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication yes

# Specifies the file that contains the public keys that can be used for 
# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced 
# by a literal '%', %h is replaced by the home directory of the user being 
# authenticated, and %u is replaced by the username of that user. After 
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
# to the user's home directory. Multiple files may be listed, separated by 
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication no

# When password authentication is allowed, it specifies whether the 
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no

# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
#    Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no

# similar for protocol version 2
HostbasedAuthentication no

# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
# during RhostsRSAAuthentication or HostbasedAuthentication. 
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers, 
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
#AllowUsers chris cityslang sysadm

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution. 
# Note also, that if this is enabled, X11Forwarding will be disabled 
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after 
# authentication.
# The default is “no”.
#UseLogin no


#-----------------------------
# Logging
#-----------------------------

# Gives the facility code that is used when logging messages from sshd(8).  
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
# The default is AUTH.
SyslogFacility AUTH

# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO


#-----------------------------
# Behavior
#-----------------------------

# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no

# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net

# Specifies whether sshd(8) should print /etc/motd when a user logs in 
# interactively. (On some systems it is also printed by the shell, 
# /etc/profile, or equivalent.)  
# The default is “yes”.
PrintMotd no

# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*

# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server

# Specifies whether sshd(8) should look up the remote host name and check 
# that the resolved host name for the remote IP address maps back to the 
# very same IP address.
# The default is “yes”.
UseDNS no

# Specifies whether X11 forwarding is permitted. The argument must be 
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes

# Specifies the first display number available for sshd(8)'s X11 
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10

# Specifies whether the system should send TCP keepalive messages to the 
# other side. If they are sent, death of the connection or crash of one 
# of the machines will be properly noticed.  However, this means
# that connections will die if the route is down temporarily, and some 
# people find it annoying. On the other hand, if TCP keepalives are not 
# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server 
# will notice if the network goes down or the client host crashes. This 
# avoids infinitely hanging sessions.
TCPKeepAlive yes

#Specifies whether sshd(8) should print the date and time of the last 
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes


#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


#-----------------------------
# GSSAPI options
#-----------------------------

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes





