#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ 

# This is the sshd server system-wide configuration file.  See 
# sshd_config(5) for more information. 

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 

# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where 
# possible, but leave them commented.  Uncommented options override the 
# default value. 
#TOS_USE_PORT 
#LocalPort_TGM 
Port 9333
#AddressFamily any 
#ListenAddress 0.0.0.0 
#ListenAddress :: 

#HostKey /etc/ssh/ssh_host_rsa_key 
#HostKey /etc/ssh/ssh_host_dsa_key 
#HostKey /etc/ssh/ssh_host_ecdsa_key 
#HostKey /etc/ssh/ssh_host_ed25519_key 

# Ciphers and keying 
#RekeyLimit default none 

# Logging 
#SyslogFacility AUTH 
#LogLevel INFO 

# Authentication: 

#LoginGraceTime 2m 
PermitRootLogin yes
#StrictModes yes 
#MaxAuthTries 6 
#MaxSessions 10 

#PubkeyAuthentication yes 

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 
# but this is overridden so installations will only check .ssh/authorized_keys 
AuthorizedKeysFile	.ssh/authorized_keys 
#AuthorizedPrincipalsFile none 

#AuthorizedKeysCommand none 
#AuthorizedKeysCommandUser nobody 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
#IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here! 
#PasswordAuthentication yes 
#PermitEmptyPasswords no 

# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes 

# Kerberos options 
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 
#KerberosGetAFSToken no 

# GSSAPI options 
#GSSAPIAuthentication no 
#GSSAPICleanupCredentials yes 

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and 
# PasswordAuthentication.  Depending on your PAM configuration, 
# PAM authentication via ChallengeResponseAuthentication may bypass 
# the setting of "PermitRootLogin without-password". 
# If you just want the PAM account and session checks to run without 
# PAM authentication, then enable this but set PasswordAuthentication 
# and ChallengeResponseAuthentication to 'no'. 
UsePAM yes

#AllowAgentForwarding yes 
#AllowTcpForwarding yes 
#GatewayPorts no 
#X11Forwarding no 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
#PermitTTY yes 
#PrintMotd yes 
#PrintLastLog yes 
#TCPKeepAlive yes 
#UseLogin no 
#PermitUserEnvironment no 
#Compression delayed 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#UseDNS no 
PidFile /var/run/sftpd.pid
#MaxStartups 10:30:100 
#PermitTunnel no 
#ChrootDirectory none 
#VersionAddendum none 

# no default banner path 
#Banner none 

# override default of no subsystems 
#Subsystem	sftp	/usr/libexec/sftp-server 
Subsystem sftp internal-sftp
Match User sftpuser
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
# Example of overriding settings on a per-user basis 
#Match User anoncvs 
#	X11Forwarding no 
#	AllowTcpForwarding no 
#	PermitTTY no 
#	ForceCommand cvs server 
#Match LocalPort  9223 