# -*- coding: utf-8; mode: python -*-

include("mode/space")

header("Configuration du serveur ssh")

@# What ports, IPs and protocols we listen for
@Port 22
@# Use these options to restrict which interfaces/protocols sshd will bind to
@#ListenAddress ::
@#ListenAddress 0.0.0.0
@Protocol 2
@# HostKeys for protocol version 2
@HostKey /etc/ssh/ssh_host_rsa_key
@HostKey /etc/ssh/ssh_host_dsa_key
@HostKey /etc/ssh/ssh_host_ecdsa_key
@#Privilege Separation is turned on for security
@UsePrivilegeSeparation yes

@# Lifetime and size of ephemeral version 1 server key
@KeyRegenerationInterval 3600
@ServerKeyBits 1024

@# Logging
@SyslogFacility AUTH
@LogLevel INFO

@# Authentication:
@LoginGraceTime 120
@PermitRootLogin yes
@StrictModes yes

@RSAAuthentication yes
@PubkeyAuthentication yes
if has("owncloud"):
    @AuthorizedKeysFile	%h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys
else:
    @#AuthorizedKeysFile	%h/.ssh/authorized_keys

@# Don't read the user's ~/.rhosts and ~/.shosts files
@IgnoreRhosts yes
@# For this to work you will also need host keys in /etc/ssh_known_hosts
@RhostsRSAAuthentication no
@# similar for protocol version 2
@HostbasedAuthentication no
@# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
@#IgnoreUserKnownHosts yes

@# To enable empty passwords, change to yes (NOT RECOMMENDED)
@PermitEmptyPasswords no

@# Change to yes to enable challenge-response passwords (beware issues with
@# some PAM modules and threads)
@ChallengeResponseAuthentication yes

@# Change to no to disable tunnelled clear text passwords
@PasswordAuthentication no

@# Kerberos options
@#KerberosAuthentication no
@#KerberosGetAFSToken no
@#KerberosOrLocalPasswd yes
@#KerberosTicketCleanup yes

@# GSSAPI options
@#GSSAPIAuthentication no
@#GSSAPICleanupCredentials yes

%X11Forwarding yesno(has("users") or has("2B"))
@X11DisplayOffset 10
@PrintMotd no
@PrintLastLog yes
@TCPKeepAlive yes
@#UseLogin no

@#MaxStartups 10:30:60
@#Banner /etc/issue.net

@# Allow client to pass locale environment variables
@AcceptEnv LANG LC_*

@Subsystem sftp /usr/lib/openssh/sftp-server

@UsePAM yes

@UseDNS yes
if has("owncloud"):
    @#Owncloud doit laisser accès à l'ensemble des utilisateurs pour
    @#faire un mount sshfs (sinon les fichiers ajoutés n'appartiennent
    @#pas au bon utilisateur, mais on ne veut pas qu'ils puissent faire
    @#quoi que ce soit sur la machine.
    @Match Group !adm,!apprentis,* Address !127.0.0.1,*
    @    ForceCommand /bin/false