antonorlov · September 14, 2016 11:58
diff --git a/sshd_config b/sshd_config
 # The default requires explicit activation of protocol 1
 #Protocol 2

 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024

 # Ciphers and keying
 #RekeyLimit default none

 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
 #LogLevel INFO

 # Authentication:

 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

 #RSAAuthentication yes
 #PubkeyAuthentication yes

 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile .ssh/authorized_keys

 #AuthorizedPrincipalsFile none

 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody

 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 PasswordAuthentication no

 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 ChallengeResponseAuthentication no

 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 #KerberosUseKuserok yes

 # GSSAPI options
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials no
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 #GSSAPIEnablek5users no

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
 # problems.
 UsePAM no

 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #ShowPatchLevel no
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none

 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS

 # override default of no subsystems
 Subsystem sftp	/usr/libexec/openssh/sftp-server
	# The default requires explicit activation of protocol 1
	#Protocol 2

	# HostKey for protocol version 1
	#HostKey /etc/ssh/ssh_host_key
	# HostKeys for protocol version 2
	HostKey /etc/ssh/ssh_host_rsa_key
	#HostKey /etc/ssh/ssh_host_dsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostKey /etc/ssh/ssh_host_ed25519_key

	# Lifetime and size of ephemeral version 1 server key
	#KeyRegenerationInterval 1h
	#ServerKeyBits 1024

	# Ciphers and keying
	#RekeyLimit default none

	# Logging
	# obsoletes QuietMode and FascistLogging
	#SyslogFacility AUTH
	SyslogFacility AUTHPRIV
	#LogLevel INFO

	# Authentication:

	#LoginGraceTime 2m
	#PermitRootLogin yes
	#StrictModes yes
	#MaxAuthTries 6
	#MaxSessions 10

	#RSAAuthentication yes
	#PubkeyAuthentication yes

	# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
	# but this is overridden so installations will only check .ssh/authorized_keys
	AuthorizedKeysFile .ssh/authorized_keys

	#AuthorizedPrincipalsFile none

	#AuthorizedKeysCommand none
	#AuthorizedKeysCommandUser nobody

	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	#RhostsRSAAuthentication no
	# similar for protocol version 2
	#HostbasedAuthentication no
	# Change to yes if you don't trust ~/.ssh/known_hosts for
	# RhostsRSAAuthentication and HostbasedAuthentication
	#IgnoreUserKnownHosts no
	# Don't read the user's ~/.rhosts and ~/.shosts files
	#IgnoreRhosts yes

	# To disable tunneled clear text passwords, change to no here!
	#PasswordAuthentication yes
	#PermitEmptyPasswords no
	PasswordAuthentication no

	# Change to no to disable s/key passwords
	#ChallengeResponseAuthentication yes
	ChallengeResponseAuthentication no

	# Kerberos options
	#KerberosAuthentication no
	#KerberosOrLocalPasswd yes
	#KerberosTicketCleanup yes
	#KerberosGetAFSToken no
	#KerberosUseKuserok yes

	# GSSAPI options
	GSSAPIAuthentication yes
	GSSAPICleanupCredentials no
	#GSSAPIStrictAcceptorCheck yes
	#GSSAPIKeyExchange no
	#GSSAPIEnablek5users no

	# Set this to 'yes' to enable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	# be allowed through the ChallengeResponseAuthentication and
	# PasswordAuthentication. Depending on your PAM configuration,
	# PAM authentication via ChallengeResponseAuthentication may bypass
	# the setting of "PermitRootLogin without-password".
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and ChallengeResponseAuthentication to 'no'.
	# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
	# problems.
	UsePAM no

	#AllowAgentForwarding yes
	#AllowTcpForwarding yes
	#GatewayPorts no
	X11Forwarding yes
	#X11DisplayOffset 10
	#X11UseLocalhost yes
	#PermitTTY yes
	#PrintMotd yes
	#PrintLastLog yes
	#TCPKeepAlive yes
	#UseLogin no
	UsePrivilegeSeparation sandbox # Default for new installations.
	#PermitUserEnvironment no
	#Compression delayed
	#ClientAliveInterval 0
	#ClientAliveCountMax 3
	#ShowPatchLevel no
	#UseDNS yes
	#PidFile /var/run/sshd.pid
	#MaxStartups 10:30:100
	#PermitTunnel no
	#ChrootDirectory none
	#VersionAddendum none

	# Accept locale-related environment variables
	AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
	AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
	AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
	AcceptEnv XMODIFIERS

	# override default of no subsystems
	Subsystem sftp /usr/libexec/openssh/sftp-server