1 # SSH daemon configuration file.
3 # Some options are set even if they are default to document that they are
4 # important and to prevent upstream changes from affecting them.
6 # Copyright (C) 2013 Simon Ruderich
8 # This file is free software: you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation, either version 3 of the License, or
11 # (at your option) any later version.
13 # This file is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this file. If not, see <http://www.gnu.org/licenses/>.
22 # Listen on port 22 (default).
25 # Only use protocol 2. Protocol 1 is insecure. (default)
28 # Use privilege separation for increased security.
29 UsePrivilegeSeparation yes
31 # Don't use PAM because it may circumvent other authentication methods used
34 # Disable authentication methods I don't use.
35 ChallengeResponseAuthentication no
36 GSSAPIAuthentication no
37 HostbasedAuthentication no
38 KerberosAuthentication no
39 PasswordAuthentication no
40 # Only enable those I need.
41 PubkeyAuthentication yes
43 # Don't allow empty passwords (default).
44 PermitEmptyPasswords no
45 # Allow root-login only with public keys.
46 PermitRootLogin without-password
48 # Be strict when checking user file permissions (default).
51 # Allow more sessions per network connection (e.g. from ControlMaster/-M).
52 # When not enough sessions are available this message is sent by ssh:
53 # "mux_client_request_session: session request failed: Session open refused by
54 # peer". Not necessary on all servers, therefore deactivated here.
57 # Don't accept any environment variables from the client (default).
59 # Don't use ~/.ssh/environment and environment= options in
60 # ~/.ssh/authorized_keys because LD_PRELOAD could be used to circumvent
61 # authentications (default).
62 PermitUserEnvironment no
64 # Send a message after the given seconds of inactivity through the encrypted
65 # channel. Used to detect stale connections more quickly. Not necessary on all
66 # servers, therefore deactivated here.
67 #ClientAliveInterval 60
68 # Disconnect the client if more than max count alive messages were lost
69 # (default). With the setting above this detects a broken connection after 3
73 # Enable sftp (and sshfs) usage.
74 Subsystem sftp internal-sftp
77 # Only allow logins for certain users.