##############################################################
# sshd_config : fichier de configuration du service ssh
# Pour EOLE
#samuel morin <samuel.morin@ac-dijon.fr>
##############################################################
#OpenBSD: sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
Protocol 2
#Evite les erreurs "WARNING: Not loading blacklisted module ipv6"
AddressFamily inet

#ListenAddress

#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 2048

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 600

StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	%h/.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts yes
%if not %%is_defined('login_graphique')
AllowGroups %slurp
 %if %%is_defined('activer_web_zephir')
uucp %slurp
 %end if
 %if %%ssh_permit_root == "oui"
root %slurp
 %end if
adm %slurp
 %for %%allow_group in %%ssh_allow_groups
%%allow_group %slurp
 %end for
%end if
%if %%getVar('activer_onenode','non') == 'oui'
 %if %%is_defined('virt_user')
%%virt_user %slurp
 %end if
%end if

%if %%ssh_permit_root == "oui"
PermitRootLogin yes
%else
PermitRootLogin no
%end if

# To disable tunneled clear text passwords, change to no here!
%if %%ssh_allow_passwd == "oui"
PasswordAuthentication yes
%else
PasswordAuthentication no
%end if

PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

#Suppress DNS verification
UseDNS no

# Allow client to pass locale environment variables
AcceptEnv LANG LANGUAGE LC_* EDITOR

UsePAM yes
# override default of no subsystems
Subsystem	sftp	/usr/lib/sftp-server

