X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=sshd_config;h=dbb774eb7151bf57580af68076a1764488be0bbf;hb=b7a761aa3677916ec29d53e5807aa0c5df91b03e;hp=8c73565cca2d7bf06b768e98619524f0c83061e4;hpb=6c216327e1dd81d3adfa60f278b4deebeb55f5b0;p=config%2Fdotfiles.git

diff --git a/sshd_config b/sshd_config
index 8c73565..dbb774e 100644
--- a/sshd_config
+++ b/sshd_config
@@ -3,7 +3,7 @@
 # Some options are set even if they are default to document that they are
 # important and to prevent upstream changes from affecting them.
 
-# Copyright (C) 2013  Simon Ruderich
+# Copyright (C) 2013-2014  Simon Ruderich
 #
 # This file is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -25,8 +25,9 @@ Port 22
 # Only use protocol 2. Protocol 1 is insecure. (default)
 Protocol 2
 
-# Use privilege separation for increased security.
-UsePrivilegeSeparation yes
+# Use privilege separation for increased security. "sandbox" applies
+# additional restrictions on the unprivileged process.
+UsePrivilegeSeparation sandbox
 
 # Don't use PAM because it may circumvent other authentication methods used
 # below (default).
@@ -51,8 +52,8 @@ StrictModes yes
 # Allow more sessions per network connection (e.g. from ControlMaster/-M).
 # When not enough sessions are available this message is sent by ssh:
 # "mux_client_request_session: session request failed: Session open refused by
-# peer". Not necessary on all servers, therefore deactivated here.
-#MaxSessions 30
+# peer".
+MaxSessions 30
 
 # Don't accept any environment variables from the client (default).
 AcceptEnv
@@ -63,14 +64,14 @@ PermitUserEnvironment no
 
 # Send a message after the given seconds of inactivity through the encrypted
 # channel. Used to detect stale connections more quickly. Not necessary on all
-# servers, therefore deactivated here.
+# servers.
 #ClientAliveInterval 60
 # Disconnect the client if more than max count alive messages were lost
 # (default). With the setting above this detects a broken connection after 3
 # minutes.
 ClientAliveCountMax 3
 
-# Enable sftp (and sshfs) usage.
+# Enable sftp (and sshfs) usage. internal-sftp also works in chroots.
 Subsystem sftp internal-sftp