# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22

# Use only protocol version 2
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

# Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication
UsePAM yes
StrictModes yes
PermitRootLogin yes
LoginGraceTime 120
MaxStartups 25:30:100

# password authentication via PAM (single sign-on initial case)
PasswordAuthentication yes
PermitEmptyPasswords no

# keyboard-interactive authentication (like password, works with +needchange)
ChallengeResponseAuthentication yes

# kerberos (single sign-on already authenticated case)
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes

# public key authentication with authorized_keys
PubkeyAuthentication yes

# no single sign-on via hosts.equiv; we use kerberos
HostbasedAuthentication no
IgnoreRhosts yes

# no builtin kerberos auth with password, we do the same via pam_krb5
KerberosAuthentication no

# allow X forwarding
X11Forwarding yes
X11DisplayOffset 10

# PAM prints these already
PrintMotd no
PrintLastLog no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server