# Package generated configuration file# See the sshd_config(5) manpage for det

1. # Package generated configuration file
2. # See the sshd_config(5) manpage for details
3.  
4. # What ports, IPs and protocols we listen for
5. Port 22
6. # Use these options to restrict which interfaces/protocols sshd will bind to
7. #ListenAddress ::
8. #ListenAddress 0.0.0.0
9. Protocol 2
10. # HostKeys for protocol version 2
11. HostKey /etc/ssh/ssh_host_rsa_key
12.  
13. # https://bettercrypto.org/ 20140809
14. #HostKey /etc/ssh/ssh_host_dsa_key
15. #HostKey /etc/ssh/ssh_host_ecdsa_key
16.  
17. #Privilege Separation is turned on for security
18. UsePrivilegeSeparation yes
19.  
20. # Lifetime and size of ephemeral version 1 server key
21. KeyRegenerationInterval 3600
22. ServerKeyBits 768
23.  
24. # Logging
25. SyslogFacility AUTH
26. LogLevel INFO
27.  
28. # Authentication:
29. LoginGraceTime 120
30. PermitRootLogin yes
31. StrictModes yes
32.  
33. RSAAuthentication yes
34. PubkeyAuthentication yes
35. #AuthorizedKeysFile %h/.ssh/authorized_keys
36.  
37. # Don't read the user's ~/.rhosts and ~/.shosts files
38. IgnoreRhosts yes
39. # For this to work you will also need host keys in /etc/ssh_known_hosts
40. RhostsRSAAuthentication no
41. # similar for protocol version 2
42. HostbasedAuthentication no
43. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
44. #IgnoreUserKnownHosts yes
45.  
46. # To enable empty passwords, change to yes (NOT RECOMMENDED)
47. PermitEmptyPasswords no
48.  
49. # Change to yes to enable challenge-response passwords (beware issues with
50. # some PAM modules and threads)
51. ChallengeResponseAuthentication no
52.  
53. # Change to no to disable tunnelled clear text passwords
54. #PasswordAuthentication yes
55.  
56. # Kerberos options
57. #KerberosAuthentication no
58. #KerberosGetAFSToken no
59. #KerberosOrLocalPasswd yes
60. #KerberosTicketCleanup yes
61.  
62. # GSSAPI options
63. #GSSAPIAuthentication no
64. #GSSAPICleanupCredentials yes
65.  
66. X11Forwarding yes
67. X11DisplayOffset 10
68. PrintMotd no
69. PrintLastLog yes
70. TCPKeepAlive yes
71. #UseLogin no
72.  
73. #MaxStartups 10:30:60
74. #Banner /etc/issue.net
75.  
76. # Allow client to pass locale environment variables
77. AcceptEnv LANG LC_*
78.  
79. Subsystem sftp /usr/lib/openssh/sftp-server
80.  
81. # Set this to 'yes' to enable PAM authentication, account processing,
82. # and session processing. If this is enabled, PAM authentication will
83. # be allowed through the ChallengeResponseAuthentication and
84. # PasswordAuthentication. Depending on your PAM configuration,
85. # PAM authentication via ChallengeResponseAuthentication may bypass
86. # the setting of "PermitRootLogin without-password".
87. # If you just want the PAM account and session checks to run without
88. # PAM authentication, then enable this but set PasswordAuthentication
89. # and ChallengeResponseAuthentication to 'no'.
90. UsePAM yes
91.  
92. UseDNS no
93.  
94. # https://bettercrypto.org/ 20140809
95. Ciphers aes256-ctr,aes128-ctr
96. MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
97. KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1