## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
## sshd2_config
## SSH 3.2 Server Configuration File
##

## General

#	HostKeyFile			hostkey
#	PublicHostKeyFile		hostkey.pub
#	RandomSeedFile			random_seed
#	BannerMessageFile		/etc/ssh2/ssh_banner_message
#	BannerMessageFile		/etc/issue.net
#
#	VerboseMode			no
#	QuietMode			no
#	SyslogFacility			AUTH
#	SyslogFacility			LOCAL7
#	SftpSyslogFacility		LOCAL7

## Network

# Port is not commented out, as it is needed by the example startup
# scripts. Well, the default won't likely change.
	Port 				22
#	ListenAddress			any
#	ResolveClientHostName		yes
#	RequireReverseMapping		no
#	MaxBroadcastsPerSecond		0
#	MaxBroadcastsPerSecond		1  
#	NoDelay				no
#	KeepAlive			yes
#	MaxConnections			50
#	MaxConnections			0 
# 0 == number of connections not limited 

## Crypto

#	Ciphers				AnyCipher
#	Ciphers				AnyStdCipher
#	Ciphers				3des
# Following includes "none" 'cipher': 
#	Ciphers				AnyStd
#
#	MACs				AnyMAC
#	MACs				AnyStdMAC
# Following includes "none" 'mac':
#	MACs				AnyStd
#
#	RekeyIntervalSeconds		3600

## User

#	PrintMotd			yes
#	CheckMail			yes
#	StrictModes			yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
#                   minute, 's' for seconds)
#	IdleTimeOut			1h
# without specifier, the default number is in seconds
#	IdleTimeOut			3600
#
#	UserConfigDirectory		"%D/.ssh2"
#	UserConfigDirectory		"/etc/ssh2/auth/%U"
#	AuthorizationFile		authorization
# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
	SettableEnvironmentVars		LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ
	
## Tunneling

#	AllowX11Forwarding		yes
#	AllowTcpForwarding		yes
#	AllowTcpForwardingForUsers	sjl, cowboyneal@slashdot\.org
#	DenyTcpForwardingForUsers	2[[:digit:]]*4,peelo
#	AllowTcpForwardingForGroups	privileged_tcp_forwarders
#	DenyTcpForwardingForGroups	coming_from_outside
#
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are 
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS). 
#
#      ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:
#
#      ForwardACL allow local s.*%10 proxy\.company\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
#      ForwardACL deny remote .* .*


## Authentication
## publickey and password allowed by default

#	AllowedAuthentications		publickey,password
#	AllowedAuthentications		hostbased,publickey,password
#	AllowedAuthentications		hostbased,publickey,keyboard-interactive
#	RequiredAuthentications		publickey,password
#	LoginGraceTime			600
#	AuthInteractiveFailureTimeout	2
#
#	HostbasedAuthForceClientHostnameDNSMatch no
#	UserKnownHosts			yes
#
#	AuthPublicKey.MaxSize		0
#	AuthPublicKey.MinSize		0
#	AllowAgentForwarding		yes
#
#	AuthKbdInt.NumOptional		0
#	AuthKbdInt.Optional		pam,password
#	AuthKbdInt.Required		password 
#	AuthKbdInt.Retries		3
#
#	PermitEmptyPasswords		no
#	PasswordGuesses			3

## Host restrictions

#	AllowHosts			localhost, foobar.com, friendly.org
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
## 
##     AllowHosts		t..l.\..*
##
## The following matches any numerical IP-address (yes, it is cumbersome)
##
##     AllowHosts		([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with using the special prefix "\i" in a
## pattern. This means that the pattern is only used to match
## IP-addresses.
##
## Using the above example:
##
##     AllowHosts		\i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
##     AllowHosts		\m127.0/8
## and
##     AllowHosts		\m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
#	DenyHosts			evil\.org, aol\.com
#	AllowSHosts			trusted\.host\.org
#	DenySHosts			not\.quite\.trusted\.org
#	IgnoreRhosts			no
#	IgnoreRootRHosts		no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions

#	AllowUsers			sj.*,s[[:digit:]]*,s(jl|amza)
#	DenyUsers			skuuppa,warezdude,31373
#	DenyUsers			don@untrusted\.org
#	AllowGroups			staff,users
#	DenyGroups			guest,anonymous
#	PermitRootLogin			yes
#	PermitRootLogin			nopwd

## Chrooted environment

#	ChRootUsers			anonymous,ftp,guest
#	ChRootGroups			sftp,guest

## SSH1 compatibility

#	Ssh1Compatibility		no
#	Sshd1Path			<set by	configure by default>
#
# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.
#	Sshd1ConfigFile			/etc/sshd_config_alternate

## subsystem definitions

# Subsystems don't have defaults, so this is needed here (uncommented).
	subsystem-sftp                  sftp-server
# Also internal sftp-server subsystem can be used.
#	subsystem-sftp			internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.

# Following matches (from) any host
#
#      HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#      HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheel[0-9]
#
#      UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /etc/ssh2/subconfig/user.example
#
# Following matches to the user anonymous from any host
#
#      UserSpecificConfig anonymous@.* /etc/ssh2/subconfig/anonymous.example
