crans_bcfg2/TCheetah/etc/ssh/sshd_config/template

# -*- mode: conf -*-
#
# See the sshd(8) manpage for details

## What ports, IPs and protocols we listen for
Port 22
## Use these options to restrict which interfaces/protocols sshd will bind to
##ListenAddress ::
##ListenAddress 0.0.0.0
Protocol 2
## HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
##Privilege Separation is turned on for security
UsePrivilegeSeparation yes

## Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

## Logging
SyslogFacility AUTH
LogLevel INFO

## Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
##AuthorizedKeysFile	%h/.ssh/authorized_keys

## Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
## For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
## similar for protocol version 2
HostbasedAuthentication no
## Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
##IgnoreUserKnownHosts yes

## To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

## Change to yes to enable challenge-response passwords (beware issues with
## some PAM modules and threads)
ChallengeResponseAuthentication yes

## Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

## Kerberos options
##KerberosAuthentication no
##KerberosGetAFSToken no
##KerberosOrLocalPasswd yes
##KerberosTicketCleanup yes

## GSSAPI options
##GSSAPIAuthentication no
##GSSAPICleanupCredentials yes

#if "users" in $metadata.groups
X11Forwarding yes
#else
X11Forwarding no
#endif
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
##UseLogin no

##MaxStartups 10:30:60
##Banner /etc/issue.net

## Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes