@@ -0,0 +1,124 @@

+Include /etc/ssh/sshd_config.d/*.conf

+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

+

+# This is the sshd server system-wide configuration file.  See

+# sshd_config(5) for more information.

+

+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

+

+# The strategy used for options in the default sshd_config shipped with

+# OpenSSH is to specify options with their default value where

+# possible, but leave them commented.  Uncommented options override the

+# default value.

+

+#Port 22

+#AddressFamily any

+#ListenAddress 192.168.1.53

+#ListenAddress ::

+

+#HostKey /etc/ssh/ssh_host_rsa_key

+#HostKey /etc/ssh/ssh_host_ecdsa_key

+#HostKey /etc/ssh/ssh_host_ed25519_key

+

+# Ciphers and keying

+#RekeyLimit default none

+

+# Logging

+#SyslogFacility AUTH

+#LogLevel INFO

+

+# Authentication:

+

+#LoginGraceTime 2m

+PermitRootLogin no

+#DenyUsers dans /etc/ssh/sshd_config.d/DenyAllow.conf

+#AllowUsers dans /etc/ssh/sshd_config.d/DenyAllow.conf

+StrictModes yes

+#MaxAuthTries 6

+#MaxSessions 10

+

+PubkeyAuthentication yes

+

+# Expect .ssh/authorized_keys2 to be disregarded by default in future.

+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

+

+#AuthorizedPrincipalsFile none

+

+#AuthorizedKeysCommand none

+#AuthorizedKeysCommandUser nobody

+

+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

+#HostbasedAuthentication no

+# Change to yes if you don't trust ~/.ssh/known_hosts for

+# HostbasedAuthentication

+#IgnoreUserKnownHosts no

+# Don't read the user's ~/.rhosts and ~/.shosts files

+IgnoreRhosts yes

+

+# To disable tunneled clear text passwords, change to no here!

+PasswordAuthentication no

+PermitEmptyPasswords no

+

+# Change to yes to enable challenge-response passwords (beware issues with

+# some PAM modules and threads)

+ChallengeResponseAuthentication no

+

+# Kerberos options

+#KerberosAuthentication no

+#KerberosOrLocalPasswd yes

+#KerberosTicketCleanup yes

+#KerberosGetAFSToken no

+

+# GSSAPI options

+#GSSAPIAuthentication no

+#GSSAPICleanupCredentials yes

+#GSSAPIStrictAcceptorCheck yes

+#GSSAPIKeyExchange no

+

+# Set this to 'yes' to enable PAM authentication, account processing,

+# and session processing. If this is enabled, PAM authentication will

+# be allowed through the ChallengeResponseAuthentication and

+# PasswordAuthentication.  Depending on your PAM configuration,

+# PAM authentication via ChallengeResponseAuthentication may bypass

+# the setting of "PermitRootLogin without-password".

+# If you just want the PAM account and session checks to run without

+# PAM authentication, then enable this but set PasswordAuthentication

+# and ChallengeResponseAuthentication to 'no'.

+UsePAM yes

+

+#AllowAgentForwarding yes

+#AllowTcpForwarding yes

+#GatewayPorts no

+X11Forwarding yes

+#X11DisplayOffset 10

+#X11UseLocalhost yes

+#PermitTTY yes

+PrintMotd no

+#PrintLastLog yes

+#TCPKeepAlive yes

+#PermitUserEnvironment no

+#Compression delayed

+#ClientAliveInterval 0

+#ClientAliveCountMax 3

+#UseDNS no

+#PidFile /var/run/sshd.pid

+#MaxStartups 10:30:100

+#PermitTunnel no

+#ChrootDirectory none

+#VersionAddendum none

+

+# no default banner path

+#Banner none

+

+# Allow client to pass locale environment variables

+AcceptEnv LANG LC_*

+

+# override default of no subsystems

+Subsystem	sftp	/usr/lib/openssh/sftp-server

+

+# Example of overriding settings on a per-user basis

+#Match User anoncvs

+#	X11Forwarding no

+#	AllowTcpForwarding no

+#	PermitTTY no

+#	ForceCommand cvs server