sshd_config.exec-sortorder

#
# File: sshd_config
#
# Edition: sshd(8) v7.9 compiled-default
#
# Sort Order: Program Execution
#
# Description: OpenSSH server daemon configuration file
#
# The possible keywords and their meanings are as
# follows (note that keywords are case-insensitive and
# arguments are case-sensitive):

# Item Template:
# Channel type: all, kex (pre-channel), auth (pre-channel),
#               exec, shell, subsystem, pty-req, x11-req,
#               auth-agent-req, env
# CLI option: -d
# Process context: monitor (client), server_loop2, main (server)
# SSH service: ssh-userauth (SSH2_MSG_USERAUTH_REQUEST)
# XXXXXX defaults to XXXXXX.

# state actions
# 0. SSH version exchange
# 1. SSH2_MSG_KEXINIT
#      SSH2_MSG_KEX_ECDH_INIT
#      SSH2_MSG_NEWKEYS
#      SSH2_MSG_EXT_INFO
# 2. SSH2_MSG_CHANNEL_OPEN
# 3. SSH2_MSG_CHANNEL_REQUEST
# 3. SSH2_MSG_GLOBAL_REQUEST  (request_pty)
# x. SSH2_MSG_CHANNEL_DATA
# x. SSH2_MSG_CHANNEL_EXTENDED_DATA
#
# Abstraction Layers
# * Transport
#   ** SSHFP DNS record
# * User Authentication
# * Channel/Connection Layer

########################################################
# Daemon-related
########################################################
# LogLevel gives the verbosity level that is used when
# logging messages from sshd(8).  The possible values
# are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
# DEBUG1, DEBUG2, and DEBUG3.
# DEBUG and DEBUG1 are equivalent.
# DEBUG2 and DEBUG3 each specify higher levels of
# debugging output.  Logging with a DEBUG level
# violates the privacy of users and is not recommended.
# Channel type: all
# CLI option: -d
# CLI option: -q
# CLI option: -o
# Process Context: main, server_loop2
# options.log_level
# LogLevel defaults to INFO.
LogLevel VERBOSE

# SyslogFacility gives the facility code that is used
# when logging messages from sshd(8).  The possible
# values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1,
# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
#
# Channel type: all
# CLI option: -o
# Process Context: main, server_loop2
# options.log_facility
# SyslogFacility defaults to AUTH.
SyslogFacility AUTH

# Port specifies the port number that sshd(8) listens on.
# Multiple options of this type are permitted.
# Port keyword must be before ListenAddress.
#
# CLI option: -o
# CLI option: -p
# Process context: main
# options.num_ports
# options.ports[]/add_one_listen_addr()/add_listen_addr()
# options.ports_from_cmdline
# Port defaults to 22.
Port 2222

# ListenAddress specifies the local addresses sshd(8)
# should listen on.  The following forms may be used:
#
#     ListenAddress hostname|address [rdomain domain]
#     ListenAddress hostname:port [rdomain domain]
#     ListenAddress IPv4_address:port [rdomain domain]
#     ListenAddress [hostname|address]:port [rdomain domain]
#
# The optional rdomain qualifier requests sshd(8)
# listen in an explicit routing domain.  If port is not
# specified, sshd will listen on the address and all
# Port options specified.
# Multiple ListenAddress options are permitted.
# Port prefix in ListenAddress overrides Port keyword.
#
# CLI option: -o
# Process context: main
# options.num_listen_addrs[]
# options.listen_addrs[]/server_listen()/main()/sshd.c
# The default is to listen on all local addresses on
# the current default routing domain.
ListenAddress 0.0.0.0:2222
ListenAddress [::]:2222

# PidFile specifies the file that contains the process
# ID of the SSH daemon, or none to not write one.
# Valid PidFile values are 'none' or a valid filespec.
#
# CLI option: -o
# Process context: main
# options.pid_file/pidfile()
# PidFile default is /run/sshd.pid.
PidFile /run/sshd.pid

# MaxStartups specifies the maximum number of concurrent
# unauthenticated connections to the SSH daemon.
# Additional connections will be dropped until
# authentication succeeds or the LoginGraceTime expires
# for a connection.  The default is 10:30:100.
#
# Alternatively, random early drop can be enabled by
# specifying the three colon separated values
# start:rate:full (e.g. "10:30:60").  sshd(8) will
# refuse connection attempts with a probability of
# rate/100 (30%) if there are currently start (10)
# unauthenticated connections.  The probability
# increases linearly and all connection attempts are
# refused if the number of unauthenticated connections
# reaches full (60).
#
# CLI option: -o
# Process context: main()/server
# options.max_startups/server_accept_loop()/main()
# MaxStartups defaults to 10:30:100.
MaxStartups 10:30:100

# AddressFamily specifies which address family should
# be used by sshd(8).
# Valid arguments are any, inet (use IPv4 only), or
# inet6 (use IPv6 only).
#
# CLI option: -4
# CLI option: -6
# CLI option: -o
# Process context: main()/server
# options.address_family/channel_set_af()/main()
# AddressFamily defaults to any.
AddressFamily any

# TCPKeepAlive specifies whether the system should send
# TCP keepalive messages to the other side.  If they
# are sent, death of the connection or crash of one of
# the machines will be properly noticed.  However,
# this means that connections will die if the route is
# down temporarily, and some people find it annoying.
# On the other hand, if TCP keepalives are not sent,
# sessions may hang indefinitely on the server,
# leaving "ghost" users and consuming server resources.
#
# This option was formerly called KeepAlive.
# To disable TCP keepalive messages, the value should
# be set to no.
#
# CLI option: -o
# Process context: main
# options.tcp_keep_alive/main()
# The default is yes (to send TCP keepalive messages),
# and the server will notice if the network goes down
# or the client host crashes.  This avoids infinitely
# hanging sessions.
TcpKeepAlive no

# RDomain specifies an explicit routing domain that is
# applied after authentication has completed.  The
# user session, as well and any forwarded or listening
# IP sockets, will be bound to this rdomain(4).  If
# the routing domain is set to %D, then the domain in
# which the incoming connection was received will be
# applied.
# RDomain accepts the token %D, 'none', or a valid domain.
#
# CLI option: -o
# Process context: main
# options.routing_domain/main()
# RDOmain defaults to 'none'.
RDomain none

# IP Network-based connection made at this point

# LoginGraceTime disconnects after this time if the
# user has not successfully logged into the server.
# If the value is 0, there is no time limit.
#
# Channel type: version (pre-channel)
# CLI option: -g
# CLI option: -o
# Process context: main
# options.login_grace_time/main()
# LoginGraceTime defaults to 120 seconds.
LoginGraceTime 35

# VersionAddendum optionally specifies additional text
# to append to the SSH protocol banner sent by the
# server upon connection.
#
# Channel type: version (pre-channel)
# CLI option: -o
# Process context: main
# options.version_addendum/main()
# VersionAddendum defaults to 'none'.
VersionAddendum none

# DebianBanner specifies whether the distribution-
# specified extra version suffix is included during
# initial protocol handshake.  The default is yes.
#
# Channel type: version (pre-channel)
# Process context: main
# DebianBanner no

# KexAlgorithms specifies the available KEX (Key
# Exchange) algorithms.  Multiple algorithms must be
# comma-separated.  Alternately if the specified value
# begins with a ‘+’ character, then the specified
# methods will be appended to the default set instead
# of replacing them.  If the specified value begins
# with a ‘-’ character, then the specified methods
# (including wildcards) will be removed from the
# default set instead of replacing them.  The
# supported algorithms are:
#
#     curve25519-sha256
#     curve25519-sha256@libssh.org
#     diffie-hellman-group1-sha1
#     diffie-hellman-group14-sha1
#     diffie-hellman-group14-sha256
#     diffie-hellman-group16-sha512
#     diffie-hellman-group18-sha512
#     diffie-hellman-group-exchange-sha1
#     diffie-hellman-group-exchange-sha256
#     ecdh-sha2-nistp256
#     ecdh-sha2-nistp384
#     ecdh-sha2-nistp521
#
# The list of available key exchange algorithms may
# also be obtained using "ssh -Q kex".
#
# Need to execute the following commands for a safer KexAlgorithms
#
#     SSH_MODULI_BITS=4096
#     ssh-keygen -G moduli-${SSH_MODULI_BITS}.candidates -b ${SSH_MODULI_BITS}
#     ssh-keygen -T moduli.safe \
#                -f moduli-${SSH_MODULI_BITS}.candidates \
#                -b ${SSH_MODULI_BITS}
#     awk '$5 > 3071' moduli-${SSH_MODULI_BITS}.candidates \
#                 > moduli-${SSH_MODULI_BITS}
#     cp moduli-${SSH_MODULI_BITS} /etc/ssh/moduli
#
# Channel type: kex (pre-channel)
# CLI option: -o
# Process context: main
# options.kex_algorithms/do_ssh2_kex()
# The default is:
#     curve25519-sha256,curve25519-sha256@libssh.org,
#     ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
#     diffie-hellman-group-exchange-sha256,
#     diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
#     diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256

# Ciphers specifies the ciphers allowed.  Multiple
# ciphers must be comma-separated.  If the specified
# value begins with a ‘+’ character, then the
# specified ciphers will be appended to the default
# set instead of replacing them.  If the specified
# value begins with a ‘-’ character, then the
# specified ciphers (including wildcards) will be
# removed from the default set instead of replacing
# them.
#
# The supported ciphers are:
#
#     3des-cbc
#     aes128-cbc
#     aes192-cbc
#     aes256-cbc
#     aes128-ctr
#     aes192-ctr
#     aes256-ctr
#     aes128-gcm@openssh.com
#     aes256-gcm@openssh.com
#     chacha20-poly1305@openssh.com
#
# The list of available ciphers may also be obtained
# using "ssh -Q cipher".
#
# Channel type: kex (pre-channel)
# CLI option: -o
# Process context: main
# options.ciphers/do_ssh2_kex()
# The default is:
#     chacha20-poly1305@openssh.com,
#     aes128-ctr,aes192-ctr,aes256-ctr,
#     aes128-gcm@openssh.com,aes256-gcm@openssh.com
#
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

# MACs specifies the available MAC (message
# authentication code) algorithms.  The MAC algorithm
# is used for data integrity protection.  Multiple
# algorithms must be comma-separated.  If the
# specified value begins with a ‘+’ character, then
# the specified algorithms will be appended to the
# default set instead of replacing them.  If the
# specified value begins with a ‘-’ character, then
# the specified algorithms (including wildcards) will
# be removed from the default set instead of replacing
# them.
#
# The algorithms that contain "-etm" calculate the MAC
# after encryption (encrypt-then-mac).  These are
# considered safer and their use recommended.  The
# supported MACs are:
#
#     hmac-md5
#     hmac-md5-96
#     hmac-sha1
#     hmac-sha1-96
#     hmac-sha2-256
#     hmac-sha2-512
#     umac-64@openssh.com
#     umac-128@openssh.com
#     hmac-md5-etm@openssh.com
#     hmac-md5-96-etm@openssh.com
#     hmac-sha1-etm@openssh.com
#     hmac-sha1-96-etm@openssh.com
#     hmac-sha2-256-etm@openssh.com
#     hmac-sha2-512-etm@openssh.com
#     umac-64-etm@openssh.com
#     umac-128-etm@openssh.com
#
# The list of available MAC algorithms may also be
# obtained using "ssh -Q mac".
#
# Channel type: kex (pre-channel)
# CLI option: -o
# Process context: main
# options.macs/do_ssh2_kex()/main()
# The default is:
#    umac-64-etm@openssh.com,umac-128-etm@openssh.com,
#    hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
#    hmac-sha1-etm@openssh.com,
#    umac-64@openssh.com,umac-128@openssh.com,
#    hmac-sha2-256,hmac-sha2-512,hmac-sha1
#
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Compression specifies whether compression is enabled
# after the user has authenticated successfully.  The
# argument must be yes, delayed (a legacy synonym for
# yes) or no.
#
# Channel type: kex (pre-channel)
# CLI option: -o
# Process context: main
# options.compression/do_ssh2_kex()/main()
# Compression defaults to yes.
Compression no

# RekeyLimit specifies the maximum amount of data that
# may be transmitted before the session key is
# renegotiated, optionally followed a maximum amount
# of time that may pass before the session key is
# renegotiated.
#
# The first argument is specified in bytes and may
# have a suffix of ‘K’, ‘M’, or ‘G’ to indicate
# Kilobytes, Megabytes, or Gigabytes, respectively.
# The default is between ‘1G’ and ‘4G’, depending on
# the cipher.
# The optional second value is specified in seconds
# and may use any of the units documented in the
# TIME FORMATS section.
#
# Channel type: kex (pre-channel)
# CLI option: -o
# Process context: main
# options.rekey_limit/do_ssh2_kex()/main()
# options.rekey_interval/do_ssh2_kex()/main()
# RekeyLimit defaults to 'none'.
# which means that rekeying is performed after the
# cipher's default amount of data has been sent or
# received and no time based rekeying is done.
RekeyLimit 0 0

# HostKey specifies a file containing a private host
# key used by SSH.
# NOTE: sshd(8) will refuse to use a file if it is
# group/world-accessible and that the
# HostKeyAlgorithms option restricts which of the keys
# are actually used by sshd(8).
#
# It is possible to have multiple host key files.  It
# is also possible to specify public host key files
# instead.  In this case operations on the private key
# will be delegated to an ssh-agent(1).
#
# Channel type: kex (pre-channel)
# CLI option: -h
# CLI option: -o
# Process context: main
# options.host_key_files_userprovided[]/list_hostkey_types()/do_ssh2_kex()
# options.num_host_key_files/list_hostkey_types()/do_ssh2_kex()
# options.host_key_files[]/list_hostkey_types()/do_ssh2_kex()
# HostKey defaults to
#     /etc/ssh/ssh_host_ecdsa_key,
#     /etc/ssh/ssh_host_ed25519_key and
#     /etc/ssh/ssh_host_rsa_key.
HostKey /etc/ssh/ssh_host_ed25519_key

# HostKeyAlgorithms specifies the host key algorithms
# that the server offers.
# The list of available key types may also be obtained
# using "ssh -Q key".
#
# Channel type: kex (pre-channel)
# CLI option: -o
# options.hostkeyalgorithms/append_hostkey_type()/list_hostkey_types()/do_ssh2_kex()
# HostKeyAlgorithms defaults to:
#     ecdsa-sha2-nistp256-cert-v01@openssh.com,
#     ecdsa-sha2-nistp384-cert-v01@openssh.com,
#     ecdsa-sha2-nistp521-cert-v01@openssh.com,
#     ssh-ed25519-cert-v01@openssh.com,
#     rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
#     ssh-rsa-cert-v01@openssh.com,
#     ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
#     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

# HostCertificate specifies a file containing a public
# host certificate.  The certificate's public key must
# match a private host key already specified by
# HostKey.
# Channel type: kex (pre-channel)
# CLI option: -c
# CLI option: -o
# Process context: main
# options.num_host_cert_files/servconf_add_hostcert()
# options.host_cert_files/servconf_add_hostcert()
# HostCertificate defaults to 'none'.
HostCertificate none

# SecurityKeyProvider
# Also SSH_SK_PROVIDER environment name can be used
# to supply an external algorithm.
# Valid values to SecurityKeyProvider are 'none' or
# a valid filespec.
#
# CLI option: -o
# Process Context: monitor (client), server_loop2
# options.sk_provider/sshd_hostkey_sign()
# options.sk_provider/mm_answer_sign()
# SecurityKeyProvider defaults to 'internal'.
SecurityKeyProvider internal

# UseDNS specifies whether sshd(8) should look up the
# remote host name, and to check that the resolved
# host name for the remote IP address maps back to
# the very same IP address.
# You would only use UseDNS if you own the DNS
# network and/or have DNSSEC.
#
# Channel type: kex (pre-channel)
# CLI option: -o
# CLI option: -C
# options.use_dns/getpwamallow()
# options.use_dns/auth_get_canonical_hostname()/get_connection_info()
# If this option is set to no (the default) then only
# addresses and not host names may be used in
# ~/.ssh/authorized_keys from and sshd_config Match
# Host directives.
UseDns no

# UsePAM enables the Pluggable Authentication Module
# interface.  If set to yes this will enable PAM
# authentication using ChallengeResponseAuthentication
# and PasswordAuthentication in addition to PAM account
# and session module processing for all authentication
# types.
#
# Because PAM challenge-response authentication usually
# serves an equivalent role to password authentication,
# you should disable either PasswordAuthentication or
# ChallengeResponseAuthentication.
#
# If UsePAM is enabled, you will not be able to run
# sshd(8) as a non-root user.
#
# NOTE: Debian openssh-server package sets UsePAM
# option to 'yes' as standard in
# /etc/ssh/sshd_config which are not the default in
# sshd(8):
#
# CLI option: -h, -o
# options.use_pam/allowed_user()
# options.use_pam/input_userauth_request()/input_service_request()/ssh_dispatch_set(SSH2_MSG_SERVICE_REQUEST)/do_authentication2()/main()
# options.use_pam/userauth_finish()//input_userauth_request()/ssh_dispatch_set(SSH2_MSG_USERAUTH_REQUEST)/input_service_reuqest()/ssh_dispatch_set(SSH2_MSG_SERVICE_REQUEST)/do_authentication2()/main()
# UsePAM defaults to no.
UsePAM no

# ChrootDirectory specifies the pathname of a
# directory to chroot(2) to after authentication.
# At session startup sshd(8) checks that all
# components of the pathname are root-owned
# directories which are not writable by any other user
# or group.  After the chroot, sshd(8) changes the
# working directory to the user's home directory.
# Arguments to ChrootDirectory accept the tokens
# described in the TOKENS section.
#
# The ChrootDirectory must contain the necessary files
# and directories to support the user's session.  For
# an interactive session this requires at least a shell,
# typically sh(1), and basic /dev nodes such as
# null(4), zero(4), stdin(4), stdout(4), stderr(4),
# and tty(4) devices.  For file transfer sessions
# using SFTP no additional configuration of the
# environment is necessary if the inprocess
# sftp-server is used, though sessions which use
# logging may require /dev/log inside the chroot
# directory on some operating systems (see
# sftp-server(8) for details).
#
# For safety, it is very important that the directory
# hierarchy be prevented from modification by other
# processes on the system (especially those outside the
# jail).  Misconfiguration can lead to unsafe
# environments which sshd(8) cannot detect.
#
# ChrootDirectory accepts the tokens %%, %h, %U, and %u.
# ChrootDirectory none   # that doesn't work @ 7.9p1, so commenting out ChrootDirectory: error: Missing privilege separation directory: /var/empty
# ChrootDirectory        # missing filenam @ 7.9p1
#
# Channel type: TODO ChrootDirectory channel-type
# CLI option: -o
# Process context: main
# options.chroot_directory
# ChrootDirectory defaults to none, indicating not to chroot(2).


# DenyUsers keyword can be followed by a list of user
# name patterns, separated by spaces.  Login is
# disallowed for user names that match one of the
# patterns.  Only user names are valid; a numerical
# user ID is not recognized.  By default, login is
# allowed for all users.  If the pattern takes the
# form USER@HOST then USER and HOST are separately
# checked, restricting logins to particular users from
# particular hosts.  HOST criteria may additionally
# contain addresses to match in CIDR address/masklen
# format.  The allow/deny directives are processed in
# the following order: DenyUsers, AllowUsers,
# DenyGroups, and finally AllowGroups.
#
# CLI option: -o
# options.deny_users[]/allowed_user()
# DenyUsers default is not to use its keyword.
DenyUsers root

# AllowUsers keyword can be followed by a list of user
# name patterns, separated by spaces.  If specified,
# login is allowed only for user names that match one
# of the patterns.  Only user names are valid; a
# numerical user ID is not recognized.  By default,
# login is allowed for all users.  If the pattern
# takes the form USER@HOST then USER and HOST are
# separately checked, restricting logins to particular
# users from particular hosts.  HOST criteria may
# additionally contain addresses to match in CIDR
# address/masklen format.  The allow/deny directives
# are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
#
# CLI option: -o
# config.allow_users[]/allowed_user()
# AllowUsers default is not to use its keyword.

# DenyGroups keyword can be followed by a list of
# group name patterns, separated by spaces.  Login
# is disallowed for users whose primary group or
# supplementary group list matches one of the
# patterns.  Only group names are valid; a numerical
# group ID is not recognized.  By default, login is
# allowed for all groups.  The allow/deny directives
# are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
#
# CLI option: -o
# options.deny_groups[]/allowed_user()
# DenyGroups default is not to use its keyword.
DenyGroups root

# AllowGroups keyword can be followed by a list of
# group name patterns, separated by spaces.  If
# specified, login is allowed only for users whose
# primary group or supplementary group list
# matches one of the patterns.  Only group names are
# valid; a numerical group ID is not recognized.
# By default, login is allowed for all groups.
# The allow/deny directives are processed in the
# following order: DenyUsers, AllowUsers, DenyGroups,
# and finally AllowGroups.
#
# CLI option: -o
# options.allow_groups[]/allowed_user()
# AllowGroups default is not to use its keyword.
AllowGroups ssh

# AuthorizedKeysCommandUser specifies the user under
# whose account the AuthorizedKeysCommand is run.
# It is recommended to use a dedicated user that has
# no other role on the host than running authorized
# keys commands.  If AuthorizedKeysCommand is
# specified but AuthorizedKeysCommandUser is not, then
# sshd(8) will refuse to start.
#
# CLI option: -o
# options.authorized_keys_command_user[]/main()
# options.authorized_keys_command_user[]/user_key_command_allowed2()/user_key_allowed()/userauth_pubkey()/*method_pubkey[]/
# options.authorized_keys_command_user[]/user_key_command_allowed2()/user_key_allowed()/auth2-pubkey.c
# AuthorizedKeysCommandUser default is not to use its keyword.

# AuthorizedKeysCommand specifies a program to be used
# to look up the user's public keys.
# The program must be owned by root, not writable by
# group or others and specified by an absolute path.
# Arguments to AuthorizedKeysCommand accept the tokens
# described in the TOKENS section of sshd_config(5)
# man page.  If no arguments are specified then the
# username of the target user is used.
#
# The program should produce on standard output zero
# or more lines of authorized_keys output (see
# AUTHORIZED_KEYS in sshd(8)).  If a key supplied by
# AuthorizedKeysCommand does not successfully
# authenticate and authorize the user then public key
# authentication continues using the usual
# AuthorizedKeysFile files.  By default, no
# AuthorizedKeysCommand is run.
# Valid values are: 'none', '', and a command line.
#
# AuthorizedKeysCommand accepts the tokens %%, %f, %h,
# %k, %t, %U, and %u.
#
# CLI option: -o
# options.authorized_keys_command[]/main()
# AuthorizedKeysCommandUser defaults to 'none'.
AuthorizedKeysCommand none

# AuthorizedPrincipalsCommandUser specifies the user
# under whose account the AuthorizedPrincipalsCommand
# is run.  It is recommended to use a dedicated user
# that has no other role on the host than running
# authorized principals commands.  If
# AuthorizedPrincipalsCommand is specified but
# AuthorizedPrincipalsCommandUser is not, then sshd(8)
# will refuse to start.
#
# CLI option: -o
# options.authorized_principals_command_user[]/main()
# AuthorizedPrincipalsCommandUser username

# AuthorizedPrincipalsCommand specifies a program to
# be used to generate the list of allowed certificate
# principals as per AuthorizedPrincipalsFile.  The
# program must be owned by root, not writable by group
# or others and specified by an absolute path.
# Arguments to AuthorizedPrincipalsCommand accept the
# tokens described in the TOKENS section.  If no
# arguments are specified then the username of the
# target user is used.
#
# The program should produce on standard output zero
# or more lines of AuthorizedPrincipalsFile output.
# If either AuthorizedPrincipalsCommand or
# AuthorizedPrincipalsFile is specified, then
# certificates offered by the client for
# authentication must contain a principal that is
# listed.
# By default, no AuthorizedPrincipalsCommand is run.
# Valid values are 'none', '', and a valid command.
#
# AuthorizedPrincipalsCommand accepts the tokens %%,
# %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
#
# CLI option: -o
# options.authorized_principals_command[]/main()
# AuthorizedKeysCommandUser defaults to 'none'.
AuthorizedPrincipalsCommand none

# HostKeyAgent identifies the UNIX-domain socket used
# to communicate with an agent that has access to the
# private host keys.  If the string "SSH_AUTH_SOCK" is
# specified, the location of the socket will be read
# from the SSH_AUTH_SOCK environment variable over
# the keyword HostKeyAgent.
# Valid values are 'none', '', or a valid filespec.
#
# Channel type: authenticate (pre-channel)
# CLI option: -o
# Process context: main
# options.host_key_agent/main()
# options.host_key_agent/auth_sock/privsep_preauth()
# HostKeyAgent defaults to 'none'.
HostKeyAgent none

# At this execution point, '-t' CLI option will quit here.

# Banner sends the contents of the specified file the
# remote user before authentication is allowed.  If
# the argument is none then no banner is displayed.
#
# Channel type: auth (pre-channel)
# CLI option: -o
# options.banner[]/auth2_read_banner()/userauth_banner()/input_userauth_request()/ssh_dispatch_set(SSH2_MSG_USERAUTH_REQUEST)
# Banner defaults to 'none'.
Banner /etc/issue.net

# AuthenticationMethods specifies the authentication
# methods that must be successfully completed for a
# user to be granted access.  This option must be
# followed by one or more lists of comma-separated
# authentication method names, or by the single string
# any to indicate the default behaviour of accepting
# any single authentication method.  If the default is
# overridden, then successful authentication requires
# completion of every method in at least one of these
# lists.
# For example,
#    "publickey,password publickey,keyboard-interactive"
# would require the user to complete public key
# authentication, followed by either password or
# keyboard interactive authentication.  Only methods
# that are next in one or more lists are offered at
# each stage, so for this example it would not be
# possible to attempt password or keyboard-interactive
# authentication before public key.
#
# For keyboard interactive authentication it is also
# possible to restrict authentication to a specific
# device by appending a colon followed by the device
# identifier bsdauth or pam depending on the server
# configuration.  For example,
#     "keyboard-interactive:bsdauth"
# would restrict keyboard interactive authentication
# to the bsdauth device.
#
# If the publickey method is listed more than once,
# sshd(8) verifies that keys that have been used
# successfully are not reused for subsequent
# authentications.
#
# For example, "publickey,publickey" requires
# successful authentication using two # different
# public keys.
#
# Comma separates auth options that should be tried together.
# Space separates auth options that should be tried separately.
#
# Note that each authentication method listed should
# also be explicitly enabled in the configuration.
#
# The available authentication methods are:
#     "gssapi-with-mic",
#     "hostbased",
#     "keyboard-interactive",
#     "none" (used for access to password-less
#             accounts when PermitEmptyPasswords is
#             enabled),
#     "password" and
#     "publickey".
#
# Channel type: auth (pre-channel)
# CLI option: -o
# Process context: main?
# SSH service: ssh-userauth (SSH2_MSG_USERAUTH_REQUEST)
# options.auth_methods[]/auth2_setup_methods_lists()/input_userauth_request()
# AuthenticationMethods defaults to 'any'.
AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive publickey,password password

# MaxAuthTries specifies the maximum number of
# authentication attempts permitted per connection.
# Once the number of failures reaches half this value,
# additional failures are logged.
#
# Channel type: auth (pre-channel)
# CLI option: -o
# Process context: main?
# SSH service: ssh-userauth (SSH2_MSG_USERAUTH_REQUEST)
# options.max_authtries/input_userauth_request()
# MaxAuthTries defaults to '6'.
MaxAuthtries 3

# PermitEmptyPasswords, when password authentication is
# allowed, it specifies whether the server allows login
# to accounts with empty password strings.
# PermitEmptyPasswords default is no.
#
# Authenticate Method: none, password
# Channel type: auth (pre-channel)
# CLI option: -o
# Process context: main?
# SSH service: ssh-userauth (SSH2_MSG_USERAUTH_REQUEST)
# options.permit_empty_passwd/userauth_none()/&method_none
# options.permit_empty_passwd/auth_password()/mm_answer_authpassword()
PermitEmptyPasswords no

# PasswordAuthentication specifies whether password
# authentication is allowed.
#
# Authenticate Method: password
# Channel type: auth (pre-channel)
# CLI option: -o
# Process context: main?
# SSH service: ssh-userauth (SSH2_MSG_USERAUTH_REQUEST)
# options.password_authentication/mm_answer_authpassword()
# PasswordAuthentication defaults to 'yes'.
PasswordAuthentication yes

# FingerprintHash specifies the hash algorithm used
# when logging key fingerprints.
# Valid options are: md5 and sha256.
#
# CLI option: -o
# options.fingerprint_hash
# FingerprintHash defaults to 'sha256'.
FingerprintHash sha256

# PubkeyAuthentication specifies whether public key
# authentication is allowed.
#
# Authenticate Method: pubkey
# Channel type: auth (pre-channel)
# CLI option: -o
# Process Context: monitor (client)
# options.pubkey_authentication/mm_answer_keyallowed()
# PubkeyAuthentication defaults to 'yes'.
PubkeyAuthentication yes

# PubkeyAcceptedKeyTypes specifies the key types that
# will be accepted for public key authentication as a
# list of comma-separated patterns.  Alternately if
# the specified value begins with a ‘+’ character,
# then the specified key types will be appended to
# the default set instead of replacing them.  If the
# specified value begins with a ‘-’ character, then
# the specified key types (including wildcards) will
# be removed from the default set instead of replacing
# them.
# The list of available key types may also be obtained
# using "ssh -Q key".
#
# Authenticate Method: pubkey
# Channel type: auth (pre-channel)
# CLI option: -o
# Monitor type: key-allowed
# options.pubkey_key_types
# PubkeyAcceptedKeyTypes defaults to:
#     ecdsa-sha2-nistp256-cert-v01@openssh.com,
#     ecdsa-sha2-nistp384-cert-v01@openssh.com,
#     ecdsa-sha2-nistp521-cert-v01@openssh.com,
#     ssh-ed25519-cert-v01@openssh.com,
#     rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
#     ssh-rsa-cert-v01@openssh.com,
#     ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
#     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

# CASignatureAlgorithms specifies which algorithms are
# allowed for signing of certificates by certificate
# authorities (CAs).
#
# Certificates signed using other algorithms will not
# be accepted for public key or host-based
# authentication.
#
# Authenticate Method: hostbased, pubkey
# Channel type: auth (pre-channel)
# CLI option: -o
# options.ca_sign_algorithms/
# CASignatureAlgorithms defaults to:
#     ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
#     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

# RevokedKeys specifies revoked public keys file, or
# none to not use one.  Keys listed in this file will
# be refused for public key authentication.  Note that
# if this file is not readable, then public key
# authentication will be refused for all users.
# Keys may be specified as a text file, listing one
# public key per line, or as an OpenSSH Key
# Revocation List (KRL) as generated by ssh-keygen(1).
# For more information on KRLs, see the KEY REVOCATION
# LISTS section in ssh-keygen(1).
#
# Authenticate Method: hostbased, pubkey
# Channel type: auth (pre-channel)
# CLI option: -o
# SSH service: ssh-userauth (SSH2_MSG_USERAUTH_REQUEST)
# options.revoked_keys_file[]/auth_key_is_revoked()/user_key_allowed()/userauth_pubkey()
# options.revoked_keys_file[]/auth_key_is_revoked()/hostbased_key_allowed()
RevokedKeys none

# AuthorizedKeysFile specifies the file that contains
# the public keys used for user authentication.  The
# format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).  Arguments to
# AuthorizedKeysFile accept the tokens described in
# the TOKENS section.  After expansion,
# AuthorizedKeysFile is taken to be an absolute path
# or one relative to the user's home directory.
# Multiple files may be listed, separated by
# whitespace.  Alternately this option may be set to
# none to skip checking for user keys in files.
#
# AuthorizedKeysFile accepts the tokens %%, %h, %U, and %u.
#
# Authenticate Method: pubkey
# Channel type: auth (pre-channel)
# CLI option: -o
# options.authorized_keys_file[]
# AuthorizedKeysFile defaults to ".ssh/authorized_keys .ssh/authorized_keys2".
AuthorizedKeysFile %h/.ssh/authorized_keys

# StrictModes specifies whether sshd(8) should check
# file modes and ownership of the user's files and
# home directory before accepting login.  This is
# normally desirable because novices sometimes
# accidentally leave their directory or files
# world-writable.
#
# NOTE: this does not apply to ChrootDirectory,
# whose permissions and ownership are checked
# unconditionally.
#
# Authenticate Method: hostbased
# Channel type: auth (pre-channel)
# CLI option: -o
# options.strict_modes/auth_rhosts2()/hostbased_key_allowed()
# options.strict_modes/user_key_allowed2()
# StrictModes default is yes.
StrictModes yes

# TrustedUserCAKeys specifies a file containing public
# keys of certificate authorities that are trusted to
# sign user certificates for authentication, or none
# to not use one.  Keys are listed one per line; empty
# lines and comments starting with ‘#’ are allowed.
# If a certificate is presented for authentication and
# has its signing CA key listed in this file, then
# it may be used for authentication for any user
# listed in the certificate's principals list.
# NOTE: certificates that lack a list of principals
#       will not be permitted for authentication
#       using TrustedUserCAKeys.  For more details on
#       certificates, see the CERTIFICATES section
#       in ssh-keygen(1).
#
# Authenticate Method: hostbased?, pubkey
# Channel type: auth (pre-channel)
# CLI option: -o
# options.trusted_user_ca_keys/user_cert_trusted_ca()
# TrustedUserCAKeys defaults to 'none'.
TrustedUserCAKeys none

# ChallengeResponseAuthentication specifies whether
# challenge-response authentication is allowed (e.g.
# via PAM).
#
# NOTE: Debian openssh-server package sets
# ChallengeResponseAuthentication option to 'no'
# as standard in /etc/ssh/sshd_config # which are
# not the default in sshd(8):
#
# Authenticate Method: keyboard-interactive
# Channel type: auth (pre-channel)
# CLI option: -o
# options.challenge_response_authentication/userauth_kbdinit()
# ChallengeResponseAuthentication defaults to 'yes'.
ChallengeResponseAuthentication yes

# HostbasedAuthentication specifies whether rhosts or
# /etc/hosts.equiv authentication together with
# successful public key client host authentication is
# allowed (host-based authentication).
#
# Authenticate Method: hostbased
# Channel type: auth (pre-channel)
# CLI option: -o
# options.hostbased_authentication
# HostbasedAuthentication defaults to 'no'.
HostbasedAuthentication no

# IgnoreUserKnownHosts specifies whether sshd(8)
# should ignore the user's ~/.ssh/known_hosts during
# HostbasedAuthentication and use only the system-wide
# known hosts file /etc/ssh/known_hosts.
#
# Only works if HostbasedAuthentication is yes.
#
# Authenticate Method: hostbased
# Channel type: auth (pre-channel)
# CLI option: -o
# options.ignore_user_known_hosts
# IgnoreUserKnownHosts default to 'no'.
IgnoreUserKnownHosts no

# HostbasedAcceptedKeyTypes specifies the key types
# that will be accepted for hostbased authentication
# as a list of comma-separated patterns.  Alternately
# if the specified value begins with a ‘+’ character,
# then the specified key types will be appended to
# the default set instead of replacing them.  If the
# specified value begins with a ‘-’ character, then
# the specified key types (including wildcards) will
# be removed from the default set instead of
# replacing them.
# The list of available key types may also be obtained
# using "ssh -Q key".
#
# Authenticate Method: hostbased
# Channel type: auth (pre-channel)
# CLI option: -o
# options.hostbased_key_types
# The default for this option is:
#     ecdsa-sha2-nistp256-cert-v01@openssh.com,
#     ecdsa-sha2-nistp384-cert-v01@openssh.com,
#     ecdsa-sha2-nistp521-cert-v01@openssh.com,
#     ssh-ed25519-cert-v01@openssh.com,
#     rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
#     ssh-rsa-cert-v01@openssh.com,
#     ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
#     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

# HostbasedUsesNameFromPacketOnly specifies whether
# or not the server will attempt to perform a reverse
# name lookup when matching the name in the ~/.shosts,
# ~/.rhosts, and /etc/hosts.equiv files during
# HostbasedAuthentication.  A setting of yes means
# that sshd(8) uses the name supplied by the client
# rather than attempting to resolve the name from the
# TCP connection itself.
#
# Authenticate Method: hostbased
# Channel type: auth (pre-channel)
# CLI option: -o
# HostbasedUsesNameFromPacketOnly defaults to 'no'.
HostbasedUsesNameFromPacketOnly no

# IgnoreRhosts specifies that .rhosts and .shosts
# files will not be used in HostbasedAuthentication.
# /etc/hosts.equiv and /etc/ssh/shosts.equiv are still
# used.
#
# Authenticate Method: hostbased
# Channel type: auth (pre-channel)
# CLI option: -o
# options.ignore_rhosts
# IgnoreRHosts defaults to 'yes'.
IgnoreRHosts yes

# KerberosAuthentication specifies whether the
# password provided by the user for
# PasswordAuthentication will be validated through the
# Kerberos KDC.  To use this option, the server needs
# a Kerberos servtab which allows the verification of
# the KDC's identity.
#
# Authenticate Method: gssapi-with-mic
# Channel type: auth (pre-channel)
# CLI option: -o
# options.kerberos_authentication/auth_password()
# KerberosAuthentication defaults to 'no'.
KerberosAuthentication no

# GSSAPIAuthentication specifies whether user
# authentication based on GSSAPI is allowed.
#
# Authenticate Method: gssapi-with-mic
# Channel type: auth (pre-channel)
# CLI option: -o
# options.gss_authentication/main()
# GSSAPIAuthentication defaults to 'no'.
GSSApiAuthentication no

# PermitRootLogin specifies whether root can log in
# using ssh(1).  The argument must be yes,
# prohibit-password, forced-commands-only, or no.
#
# If this option is set to prohibit-password (or its
# deprecated alias, without-password), password and
# keyboard-interactive authentication are disabled
# for root.
#
# If this option is set to forced-commands-only, root
# login with public key authentication will be
# allowed, but only if the command option has been
# specified (which may be useful for taking remote
# backups even if root login is normally not
# allowed).  All other authentication methods are
# disabled for root.
#
# If this option is set to no, root is not allowed to log in.
#
# Authenticate Method: all
# Channel type: auth (pre-channel)
# CLI option: -o
# options.permit_root_login/auth_password()
# PermitRootLogin defaults to 'prohibit-password'.
PermitRootlogin no

# ClientAliveInterval sets a timeout interval in
# seconds after which if no data has been received
# from the client, sshd(8) will send a message through
# the encrypted channel to request a response from the
# client.
#
# Channel type: all
# CLI option: -o
# options.client_alive_interval/wait_until_can_do_something()/serverloop.c
# ClientAliveInterval defaults to 0, indicating that
# these messages will not be sent to the client.
ClientAliveInterval 300

# ClientAliveCountMax sets the number of client alive
# messages which may be sent without sshd(8) receiving
# any messages back from the client.  If this
# threshold is reached while client alive messages are
# being sent, sshd will disconnect the client,
# terminating the session.  It is important to note
# that the use of client alive messages is very
# different from TCPKeepAlive.  The client alive
# messages are sent through the encrypted channel and
# therefore will not be spoofable.  The TCP keepalive
# option enabled by TCPKeepAlive is spoofable.  The
# client alive mechanism is valuable when the client
# or server depend on knowing when a connection has
# become inactive.
#
# Example: If ClientAliveInterval is set to 15,
# and ClientAliveCountMax is left at the
# default, unresponsive SSH clients will be
# disconnected after approximately 45 seconds.
#
# Channel type: all
# CLI option: -o
# options.client_alive_count_max
# ClientAliveInterval defaults to '3'.
ClientAliveCountMax 2

# PermitUserEnvironment specifies whether
# ~/.ssh/environment and environment= options in
# ~/.ssh/authorized_keys are processed by sshd(8).
# Valid options are yes, no or a pattern-list
# specifying which environment variable names to
# accept (for example "LANG,LC_*").  The default
# is no.  Enabling environment processing may
# enable users to bypass access restrictions in
# some configurations using mechanisms such as
# LD_PRELOAD.
#
# Channel type: all
# CLI option: -o
# options.permit_user_env
# PermitUserEnvironment defaults to 'no'.
PermitUserEnvironment no

# SSH2_MSG_CHANNEL_GLOBAL_REQUEST action state

# AllowTcpForwarding specifies whether TCP forwarding
# is permitted.  The available options are yes (the
# default) or all to allow TCP forwarding, no to
# prevent all TCP forwarding, local to allow local
# (from the perspective of ssh(1)) forwarding only or
# remote to allow remote forwarding only.
# NOTE: disabling TCP forwarding does not improve
# security unless users are also denied shell access,
# as they can always install their own forwarders.
#
# CLI option: -o
# options.allow_tcp_forwarding/do_authenticated()
# AllowTcpForwarding defaults to 'yes'.
AllowTcpForwarding no

# DisableForwarding disables all forwarding features,
# including X11, ssh-agent(1), TCP and StreamLocal.
# This option overrides all other forwarding-related
# options and may simplify restricted configurations.
#
# CLI option: -o
# options.disable_forwarding/do_authenticated()
# DisableForwarding defaults to ???  TODO: DisableForwarding
DisableForwarding no

# ExposeAuthInfo writes a temporary file containing a
# list of authentication methods and public
# credentials (e.g. keys) used to authenticate the
# user.  The location of the file is exposed to the
# user session through the SSH_USER_AUTH environment
# variable.
#
# CLI option: -o
# options.expose_userauth_info
# ExposeAuthInfo defaults to 'no'.
ExposeAuthInfo no

# GatewayPorts specifies whether remote hosts are
# allowed to connect to ports forwarded for the
# client.  By default, sshd(8) binds remote port
# forwardings to the loopback address.  This prevents
# other remote hosts from connecting to forwarded
# ports.  GatewayPorts can be used to specify that sshd
# should allow remote port forwardings to bind to
# non-loopback addresses, thus allowing other hosts to
# connect.  The argument may be no to force remote port
# forwardings to be available to the local host only,
# yes to force remote port forwardings to bind to the
# wildcard address, or clientspecified to allow the
# client to select the address to which the forwarding
# is bound.
#
# CLI option: -o
# options.fwd_opts.gateway_ports/channel_fwd_bind_addr()/channel_setup_fwd_listener_tcpip()/channel_setup_remote_fwd_listener()
# options.fwd_opts.gateway_ports/channel_fwd_bind_addr()/channel_setup_fwd_listener_tcpip()/channel_setup_local_fwd_listener()
# GatewayPorts defaults to 'no'.
GatewayPorts no


# STATE: Entering interactive session for SSH2.

#---------------------------------------------------
# SSH Session Method #1 - PseudoTTY
#---------------------------------------------------

# X11Forwarding specifies whether X11 forwarding is
# permitted.  The argument must be yes or no.
# The default is no.
#
# When X11 forwarding is enabled, there may be
# additional exposure to the server and to client
# displays if the sshd(8) proxy display is configured
# to listen on the wildcard address (see
# X11UseLocalhost), though this is not the default.
# Additionally, the authentication spoofing and
# authentication data verification and substitution
# occur on the client side.  The security risk of
# using X11 forwarding is that the client's X11
# display server may be exposed to attack when the SSH
# client requests forwarding (see the warnings for
# ForwardX11 in ssh_config(5)).  A system
# administrator may have a stance in which they want
# to protect clients that may expose themselves to
# attack by unwittingly requesting X11 forwarding,
# which can warrant a no setting.
#
# Note that disabling X11 forwarding does not prevent
# users from forwarding X11 traffic, as users can
# always install their own forwarders.
#
# NOTE: Debian openssh-server package sets X11Forwarding
# option to 'yes' as standard in # /etc/ssh/sshd_config
# which are not the default in sshd(8).
#
# CLI option: -o
# options.x11_forwarding/session_setup_x11fwd()
# X11Forwarding defaults to 'no'.
X11Forwarding no

# XAuthLocation specifies the full pathname of the
# xauth(1) program, or none to not use one.
#
# CLI option: -o
# do_rc_file()/session.c:1242
# options.xauth_location/session_setup_x11fwd()
# XAuthLocation defaults to '/usr/bin/xauth'.
XauthLocation /usr/bin/xauth

# X11DisplayOffset specifies the first display number
# available for sshd(8)'s X11 forwarding.  This prevents
# sshd from interfering with real X11 servers.
#
# CLI option: -o
# options.x11_display_offset/session_setup_x11fwd()
# X11DisplayOffset defaults to '10'.
X11DisplayOffset 10

# X11UseLocalhost specifies whether sshd(8) should bind
# the X11 forwarding server to the loopback address or
# to the wildcard address.  By default, sshd binds the
# forwarding server to the loopback address and sets
# the hostname part of the DISPLAY environment variable
# to localhost.  This prevents remote hosts from
# connecting to the proxy display.  However, some older
# X11 clients may not function with this configuration.
# X11UseLocalhost may be set to no to specify that the
# forwarding server should be bound to the wildcard
# address.  The argument must be yes or no.
#
# CLI option: -o
# options.x11_use_localhost/session_setup_x11fwd()
# X11UseLocalhost defaults to 'yes'.
X11UseLocalhost yes

# PermitTTY specifies whether pty(4) allocation is
# permitted.
#
# CLI option: -o
# options.permit_tty
# PermitTTY defaults to 'yes'.
PermitTTY yes

# MaxSessions specifies the maximum number of open
# shell, login or subsystem (e.g. sftp) sessions
# permitted per network connection.  Multiple sessions
# may be established by clients that support connection
# multiplexing.  Setting MaxSessions to 1 will
# effectively disable session multiplexing, whereas
# setting it to 0 will prevent all shell, login and
# subsystem sessions while still permitting forwarding.
#
# No CLI option.
# options.max_sessions
# MaxSessions defaults to '10'.
MaxSessions 1

# PrintLastLog specifies whether sshd(8) should print
# the date and time of the last user login when a user
# logs in interactively.
# PrintLastLog is only used if PermitTTY is yes.
#
# CLI option: -o
# Process Context: monitor (client)
# options.print_lastlog/store_lastlog_message()/record_login()/mm_record_login()/mm_answer_pty()/mon_table_dispatch_postauth[MONITOR_REQ_PTY}
# PrintLastLog defaults to 'yes'.
PrintLastLog yes

# PrintMotd specifies whether sshd(8) should print
# /etc/motd when a user logs in interactively.
# (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
#
# NOTE: Debian openssh-server package sets PrintMotd
# option to 'no' as standard in # /etc/ssh/sshd_config
# which are not the default in sshd(8).
#
# CLI option: -o
# Channel type: exec, shell, subsystem
# Process Context: server_loop2 (server)
# options.print_motd/do_motd()/do_login()/do_exec_pty()/do_exec()
# PrintMotd defaults to 'yes'.
PrintMotd yes

# ForceCommand forces the execution of the command
# specified by ForceCommand, ignoring any command
# supplied by the client and ~/.ssh/rc if present.
# The command is invoked by using the user's login
# shell with the -c option.  This applies to shell,
# command, or subsystem execution.  It is most useful
# inside a Match block.  The command originally
# supplied by the client is available in the
# SSH_ORIGINAL_COMMAND environment variable.
# Specifying a command of internal-sftp will force the
# use of an in-process SFTP server that requires no
# support files when used with ChrootDirectory.
#
# CLI option: -o
# Channel type: exec, shell, sftp-subsystem
# options.adm_forced_command/do_exec()/session_shell_req()/session_input_channel_req()/server_input_channel_req()
# options.adm_forced_command/do_exec()/session_exec_req()/session_input_channel_req()/server_input_channel_req()
# options.adm_forced_command/do_exec()/session_subsystem_req()/session_input_channel_req()/server_input_channel_req()
# options.adm_forced_command/do_rc_files()
# ForceCommand defaults to 'none'.
ForceCommand none

# AcceptEnv specifies what environment variables sent
# by the client will be copied into the session's
# environ(7).  See SendEnv and SetEnv in ssh_config(5)
# for how to configure the client.  The TERM
# environ ment variable is always accepted whenever
# the client requests a pseudo-terminal as it is
# required by the protocol.  Variables are specified
# by name, which may contain the wildcard characters
# ‘*’ and ‘?’.  Multiple environment variables may be
# separated by whitespace or spread across multiple
# AcceptEnv directives.  Be warned that some
# environment variables could be used to bypass
# restricted user environments.  For this reason, care
# should be taken in the use of this directive.
#
# NOTE: Debian openssh-server package sets AcceptEnv
# option to 'LANG LC_*' as standard in /etc/ssh/sshd_config
# which are not the default in sshd(8).
#
# CLI option: -o
# State: SSH2_MSG_CHANNEL_REQ
# options.num_accept_env
# options.accept_env[]/session_env_req()/session_input_channel_req()/server_input_channel_req()
# AcceptEnv defaults to accept any environment variables.
AcceptEnv LANG
AcceptEnv LC_*

# IPQoS specifies the IPv4 type-of-service or DSCP
# class for the connection.  Accepted values are af11,
# af12, af13, af21, af22, af23, af31, af32, af33,
# af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6,
# cs7, ef, lowdelay, throughput, reliability, a
# numeric value, or none to use the operating system
# default.  This option may take one or two arguments,
# separated by whitespace.  If one argument is
# specified, it is used as the packet class
# unconditionally.  If two values are specified, the
# first is automatically selected for interactive
# sessions and the second for non-interactive
# sessions.
#
# CLI option: -o
# options.ip_qos_interactive
# options.ip_qos_bulk
# IPQoS default is 'lowdelay' for interactive sessions
# and 'throughput' for non-interactive sessions.
IPQoS lowdelay throughput

#---------------------------------------------------
# SSH Session Method #2 - Direct TCP/IP
#---------------------------------------------------

#---------------------------------------------------
# SSH Session Method #3 - Tunneling through SSHD
#---------------------------------------------------
# PermitTunnel specifies whether tun(4) device
# forwarding is allowed.  The argument must be yes,
# point-to-point (layer 3), ethernet (layer 2), or
# no.  Specifying yes permits both point-to-point and
# ethernet.
#
# Independent of this setting, the permissions of the
# selected tun(4) device must allow access to the user.
#
# CLI option: -o
# options.permit_tun/server_request_tun()/server_input_channel_open()
# PermitTunnel  defaults to 'no'.
PermitTunnel no

#---------------------------------------------------
# SSH Session Method #4 - Streamlocal via pipe
#---------------------------------------------------
# AllowStreamLocalForwarding specifies whether
# StreamLocal (Unix-domain socket) forwarding is
# permitted.  The available options are yes (the
# default) or all to allow StreamLocal forwarding, no
# to prevent all StreamLocal forwarding, local to
# allow local (from the perspective of ssh(1))
# forwarding only or remote to allow remote forwarding
# only.
# NOTE: Disabling StreamLocal forwarding does not
# improve security unless users are also denied shell
# access, as they can always install their own
# forwarders.
#
# CLI option: -o
# AllowStreamLocalForwarding defaults to 'yes'.
AllowStreamLocalForwarding yes

# StreamLocalBindMask sets the octal file creation mode
# mask (umask) used when creating a Unix-domain socket
# file for local or remote port forwarding.  This
# option is only used for port forwarding to a
# Unix-domain socket file.
#
# The default value is 0177, which creates a
# Unix-domain socket file that is readable and writable
# only by the owner.  Note that not all operating
# systems honor the file mode on Unix-domain
# socket files.
#
# CLI option: -o
# options.allow_streamlocal_forwarding
# StreamLocalBindMask defaults to '0177'.
StreamLocalBindMask 0177

#-------------------------------------------------------
# Last known execution trace ends here.
# Everything below is unknown placement
#-------------------------------------------------------

# SetEnv specifies one or more environment variables
# to set in child sessions started by sshd(8)
# as “NAME=VALUE”.  The environment value may be
# quoted (e.g. if it contains whitespace
# characters).  Environment variables set by SetEnv
# override the default environment and any variables
# specified by the user via AcceptEnv
# or PermitUserEnvironment.
#
# Any GSSAPI envvars get created here
# USER envvar gets created here
# HOME envvar gets created here
# PATH envvar gets created here
# MAIL envvar gets created here, only if UsePAM is yes.
# SHELL envvar gets created here
# TZ envvar gets created here
# TERM envvar gets created here
# DISPLAY envvar gets created here
# KRB5CCNAME envvar gets created here
# AUTHSTATE envvar gets created here, only in AIX OS platform.
# SSH_AUTHSOCKET env var gets created here
# SSH_CLIENT envvar gets created here
# Any envvar from sshd command line gets created here.
# SSH_CONNECTION envvar gets created here
# SSH_TUNNEL envvar gets created here
# SSH_USER_AUTH envvar gets created here
# SSH_TTY envvar gets created here
# SSH_ORIGINAL_COMMAND envvar gets created here
#
# CLI option: -o
# options.num_setenv
# options.setenv[]
# SetEnv defaults to nothing.

# KerberosGetAFSToken, if AFS is active and the user
# has a Kerberos 5 TGT, attempt to acquire an AFS
# token before accessing the user's home directory.
#
# CLI option: -o
# options.kerberos_get_afs_token
# KerberosGetAFSToken defaults to 'no'.
KerberosGetAFSToken no

# PermitUserRC specifies whether any ~/.ssh/rc file
# is executed.
#
# CLI option: -o
# options.permit_user_rc/do_rc_file()
# PermitUserRC defaults to 'yes'.
PermitUserRc yes

# Subsystem configures an external subsystem (e.g. file
# transfer daemon).  Arguments should be a subsystem
# name and a command (with optional arguments) to
# execute upon subsystem request.
#
# The command sftp-server implements the SFTP file
# transfer subsystem.
#
# Alternately the name internal-sftp implements an
# in-process SFTP server.  This may simplify
# configurations using ChrootDirectory to force a
# different filesystem root on clients.
#
# By default no subsystems are defined.
#
# NOTE: Debian openssh-server package sets Subsystem
# option to 'sftp /usr/lib/openssh/sftp-server' as
# standard in /etc/ssh/sshd_config which are not
# the default in sshd(8):
#
# CLI option: -o
# options.num_subsystems/do_rc_file()
# options.subsystem_name[]
# options.subsystem_command[]
# options.subsystem_args[]
# Subsystem defaults to 'none'.
Subsystem sftp /usr/lib/openssh/sftp-server

# AllowAgentForwarding specifies whether ssh-agent(1)
# forwarding is permitted.
# Note: disabling agent forwarding does not improve
# security unless users are also denied shell access,
# as they can always install their own forwarders.
#
# Channel type: agent-forwarding
# CLI option: -o
# options.allow_agent_forwarding
# AllowAgentForwarding defaults to 'yes'.
AllowAgentForwarding no

# AuthorizedPrincipalsFile specifies a file that lists
# principal names that are accepted for certificate
# authentication.  When using certificates signed by a
# key listed in TrustedUserCAKeys, this file lists
# names, one of which must appear in the certificate
# for it to be accepted for authentication.  Names are
# listed one per line preceded by key options (as
# described in AUTHORIZED_KEYS FILE FORMAT in
# sshd(8)).  Empty lines and comments starting with
# ‘#’ are ignored.
#
# Arguments to AuthorizedPrincipalsFile accept the
# tokens described in the TOKENS section.  After
# expansion, AuthorizedPrincipalsFile is taken to be
# an absolute path or one relative to the user's home
# directory.  The default is none, i.e. not to use a
# principals file – in this case, the username of the
# user must appear in a certificate's principals list
# for it to be accepted.
#
# Note that AuthorizedPrincipalsFile is only used when
# authentication proceeds using a CA listed in
# TrustedUserCAKeys and is not consulted for
# certification authorities trusted via
# ~/.ssh/authorized_keys, though the principals= key
# option offers a similar facility (see sshd(8) for
# details).
#
# AuthorizedPrincipalsFile accepts the tokens %%, %h, %U, and %u.
#
# CLI option: -o
# AuthorizedPrincipalsFile defaults to 'none'.
AuthorizedPrincipalsFile none

# GSSAPIKeyExchange specifies whether key exchange
# based on GSSAPI is allowed. GSSAPI key exchange
# doesn't rely on ssh keys to verify host identity.
#
# GSSAPIKeyExchange defaults to 'no'.
GSSApiKeyExchange no

# GSSAPIStrictAcceptorCheck determines whether to be
# strict about the identity of the GSSAPI acceptor a
# client authenticates against.  If set to yes then
# the client must authenticate against the host
# service on the current hostname.  If set to no then
# the client may authenticate against any service key
# stored in the machine's default store.  This
# facility is provided to assist with operation on
# multi homed machines.
#
# CLI option: -o
# options.gss_strict_acceptor
# GSSAPIStrictAcceptorCheck defaults to 'yes'.
GSSApiStrictAcceptorCheck yes

# GSSAPIStoreCredentialsOnRekey controls whether
# the user's GSSAPI credentials should be updated
# following a successful connection rekeying. This
# option can be used to accepted renewed or updated
# credentials from a compatible client.
#
# CLI option: -o
# options.gss_store_creds_on_rekey
# GSSAPIStoreCredentialsOnRekey defaults to 'no'.
GSSAPIStoreCredentialsOnRekey no

# KerberosOrLocalPasswd, if password authentication
# through Kerberos fails then the password will be
# validated via any additional local mechanism such
# as /etc/passwd.
#
# CLI option: -o
# options.kerberos_or_local_passwd
# KerberosOrLocalPasswd defaults to 'yes'.
KerberosOrLocalPasswd yes

# PermitListen specifies the addresses/ports on which a
# remote TCP port forwarding may listen.  The listen
# specification must be one of the following forms:
#
#     PermitListen port
#     PermitListen host:port
#
# Multiple permissions may be specified by separating
# them with whitespace.  An argument of any can be used
# to remove all restrictions and permit any listen
# requests.  An argument of none can be used to prohibit
# all listen requests.  The host name may contain
# wildcards as described in the PATTERNS section in
# ssh_config(5).  The wildcard ‘*’ can also be used in
# place of a port number to allow all ports.  By default
# all port forwarding listen requests are permitted.
# NOTE: the GatewayPorts option may further restrict
#       which addresses may be listened on.
# NOTE: ssh(1) will request a listen host of “localhost”
#       if no listen host was specifically requested,
#       and this this name is treated differently to
#       explicit localhost addresses of “127.0.0.1”
#       and “::1”.
#
# CLI option: -o
# options.permitted_listens[]
# PermitListen defaults to 'any'.
PermitListen any

# PermitOpen specifies the destinations to which TCP
# port forwarding is permitted.  The forwarding
# specification must be one of the following forms:
#
#     PermitOpen host:port
#     PermitOpen IPv4_addr:port
#     PermitOpen [IPv6_addr]:port
#
# Multiple forwards may be specified by separating them
# with whitespace.  An argument of any can be used to
# remove all restrictions and permit any forwarding
# requests.  An argument of none can be used to
# prohibit all forwarding requests.  The wildcard ‘*’
# can be used for host or port to allow all hosts or
# ports, respectively.  By default all port forwarding
# requests are permitted.
#
# CLI option: -o
# options.permitted_opens[]
# PermitOpen defaults to 'any'.
PermitOpen any

# KbdInteractiveAuthentication specifies whether to
# allow keyboard-interactive authentication.  The
# argument to this keyword must be yes or no.
# KbdInteractiveAuthentication default is to use
# whatever value ChallengeResponseAuthentication is
# set to (which is also default yes).
#
# CLI option: -o
# Process Context: server_loop2 (server)
# Process Context: monitor (client)
# options.kbd_interactive_authentication/main()
# options.kbd_interactive_authentication/userauth_kbdinit()/method_kbdint()/main()
# options.kbd_interactive_authentication/mm_answer_pam_start()mm_start_pam()/DEAD-END
# KbdInteractiveAuthentication defaults to 'ChallengeResponseAuthentication'.
KbdInteractiveAuthentication yes

# PubkeyAuthOptions  TODO: finish this
# Valid values are: 'none', 'touch-required'.
#
# options.pubkey_auth_options
# PubkeyAuthOptions defaults to 'none'.
PubkeyAuthOptions touch-required


#####################################################
#  Everything above is unknown placement in execution thread
#  Everything below is in proper execution order
#####################################################

# StreamLocalBindUnlink specifies whether to remove an
# existing Unix-domain socket file for local or remote
# port forwarding before creating a new one.  If the
# socket file already exists and StreamLocalBindUnlink
# is not enabled, sshd will be unable to forward the
# port to the Unix-domain socket file.  This option is
# only used for port forwarding to a Unix-domain
# socket file.
#
#
# CLI option: -o
# options.fwds.streamlocal_bind_mask
# StreamLocalBindUnlink defaults to 'no'.
StreamLocalBindUnlink no

# KerberosTicketCleanup specifies whether to
# automatically destroy the user's ticket cache file
# on logout.
#
# CLI option: -o
# options.kerberos_ticket_cleanup
# KerberosTicketCleanup defaults to 'yes'.
KerberosTicketCleanup yes

# GSSAPICleanupCredentials specifies whether to
# automatically destroy the user's credentials cache
# on logout.
#
# No CLI option.
# options.gss_cleanup_creds
# GSSAPICleanupCredentials defaults to 'yes'.
GSSApiCleanupCredentials yes

# Match introduces a conditional block.  If all of the
# criteria on the Match line are satisfied, the
# keywords on the following lines override those set
# in the global section of the config file, until
# either another Match line or the end of the file.
# If a keyword appears in multiple Match blocks that
# are satisfied, only the first instance of the
# keyword is applied.
#
# The arguments to Match are one or more
# criteria-pattern pairs or the single token All which
# matches all criteria.  The available criteria are
# User, Group, Host, LocalAddress, LocalPort, RDomain,
# and Address (with RDomain representing the
# rdomain(4) on which the connection was received.)
#
# The match patterns may consist of single entries or
# comma-separated lists and may use the wildcard and
# negation operators described in the PATTERNS section
# of ssh_config(5).
#
# The patterns in an Address criteria may additionally
# contain addresses to match in CIDR address/masklen
# format, such as 192.0.2.0/24 or 2001:db8::/32.
# NOTE: the mask length provided must be consistent
#       with the address - it is an error to specify a
#       mask length that is too long for the address
#       or one with bits set in this host portion of
#       the address.  For example, 192.0.2.0/33 and
#       192.0.2.0/8, respectively.
#
# Only a subset of keywords may be used on the lines
# following a Match keyword.
# Available keywords are:
#     AcceptEnv, AllowAgentForwarding, AllowGroups,
#     AllowStreamLocalForwarding, AllowTcpForwarding,
#     AllowUsers, AuthenticationMethods,
#     AuthorizedKeysCommand, AuthorizedKeysCommandUser,
#     AuthorizedKeysFile, AuthorizedPrincipalsCommand,
#     AuthorizedPrincipalsCommandUser,
#     AuthorizedPrincipalsFile, Banner,
#     ChrootDirectory, ClientAliveCountMax,
#     ClientAliveInterval, DenyGroups, DenyUsers,
#     ForceCommand, GatewayPorts, GSSAPIAuthentication,
#     HostbasedAcceptedKeyTypes,
#     HostbasedAuthentication,
#     HostbasedUsesNameFromPacketOnly, IPQoS,
#     KbdInteractiveAuthentication,
#     KerberosAuthentication, LogLevel, MaxAuthTries,
#     MaxSessions, PasswordAuthentication,
#     PermitEmptyPasswords, PermitListen, PermitOpen,
#     PermitRootLogin, PermitTTY, PermitTunnel,
#     PermitUserRC, PubkeyAcceptedKeyTypes,
#     PubkeyAuthentication, RekeyLimit, RevokedKeys,
#     RDomain, SetEnv, StreamLocalBindMask,
#     StreamLocalBindUnlink, TrustedUserCAKeys,
#     X11DisplayOffset, X11Forwarding and
#     X11UseLocalHost.
# CLI option: -o