#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22

MaxAuthTries 3

AllowUsers 

#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /flash0/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /flash0/ssh/ssh_host_rsa_key
#HostKey /flash0/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
# Log level defaults to error so we can capture connection
# attempts to the security log.
LogLevel error

# Authentication:

# User configurable via the SAOS CLI
LoginGraceTime 2m
StrictModes no

#  Changed to no for enhanced security
PermitRootLogin no

#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile      /flash0/ssh/users/%u.pub

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes

# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
UsePAM yes

#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes

#############################################################################
# These were added for JITC functionality
# By default TCP Keepalive is on
TCPKeepAlive yes

# Specifies the maximum amount of data that may be transmitted before the
# the session key is renegotiated. The default is 1G or 4G depending upon
# the cipher.  The optional second value is time value.
RekeyLimit default none

# Sets a timeout interval in seconds after which if no data has been
# received from the client, sshd will send a message to request a response.
# The openSSH default is 0.
ClientAliveInterval 0

# Sets the number of client alive messages which may be sent without the
# sshd receiving any messages back from the client.  If threshold is reached
# sshd will disconnect the client, terminating the session.  The openSSH 
# default is 3.
# The setting of 0 with a ClientAliveInterval of 60, the SSH session will be 
# terminated with no keep alive message being sent.
ClientAliveCountMax 0

# Specifies whether TCP forwarding is permitted.  The available
# options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to
# prevent all TCP forwarding, ``local'' to allow local (from the
# perspective of ssh(1)) forwarding only or ``remote'' to allow
# remote forwarding only.  The default is ``yes''.  JITC mode
# will set this to no.
AllowTcpForwarding yes

# Specifies the available KEX (Key Exchange) algorithms.
# Multiple algorithms must be comma-separated.
#KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# Specifies the ciphers allowed for protocol version 2.  Multiple
# ciphers must be comma-separated.
# The default is to support all including the CBC ciphers.
# JITC requires that CBC ciphers not be supported so they are
# removed while in JITC mode.  This is what is supported in JITC mode
# These ciphers require openSSH to be built with this OPENSSL_HAVE_EVPGCM - we currently don't do this
# so these are not included in the JITC default
# aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,arcfour

# Specifies the MACs allowed for protocol version 2.  Multiple
# macs must be comma-separated.
# The default is to support all including the CBC ciphers.
# JITC requires that MD5 96-bit algorithms not be supported so they are
# removed while in JITC mode.  This is what is supported in JITC mode
#MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

# Specifies the key types that will be accepted for public key
# authentication as a comma-separated pattern list.
#PubkeyAcceptedKeyTypes ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521


# Specifies the maximum number of open sessions permitted per
# network connection.  The default is 10.  JITC mode requires
# that only (1) session be supported.
MaxSessions 10

#############################################################################

#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed

#UseDNS yes
UseDNS no

PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# default banner path
Banner /etc/issue.ssh

# override default of no subsystems
# JE-47616: "-l INFO" logs sftp transfer activity (among other things)
Subsystem	sftp	/usr/libexec/sftp-server -l INFO
Subsystem	netconf	/usr/sbin/netconf-subsystem-pro

# adding two factor authentication
#Match User 
#AuthenticationMethods publickey,keyboard-interactive publickey,password

