# Some options are set even if they are default to document that they are
# important and to prevent upstream changes from affecting them.
-# Copyright (C) 2013 Simon Ruderich
+# Copyright (C) 2013-2014 Simon Ruderich
#
# This file is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# Only use protocol 2. Protocol 1 is insecure. (default)
Protocol 2
-# Use privilege separation for increased security.
-UsePrivilegeSeparation yes
+# Stronger algorithms. See ssh_config for details.
+KexAlgorithms diffie-hellman-group-exchange-sha256
+Ciphers aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
+
+# Use privilege separation for increased security. "sandbox" applies
+# additional restrictions on the unprivileged process.
+UsePrivilegeSeparation sandbox
# Don't use PAM because it may circumvent other authentication methods used
# below (default).
# Allow more sessions per network connection (e.g. from ControlMaster/-M).
# When not enough sessions are available this message is sent by ssh:
# "mux_client_request_session: session request failed: Session open refused by
-# peer". Not necessary on all servers, therefore deactivated here.
-#MaxSessions 30
+# peer".
+MaxSessions 30
# Don't accept any environment variables from the client (default).
AcceptEnv
# Send a message after the given seconds of inactivity through the encrypted
# channel. Used to detect stale connections more quickly. Not necessary on all
-# servers, therefore deactivated here.
+# servers.
#ClientAliveInterval 60
# Disconnect the client if more than max count alive messages were lost
# (default). With the setting above this detects a broken connection after 3
# minutes.
ClientAliveCountMax 3
-# Enable sftp (and sshfs) usage.
+# Enable sftp (and sshfs) usage. internal-sftp also works in chroots.
Subsystem sftp internal-sftp