...
The parameters we change:
- AcceptEnv commented out. This ensures no unexpected side effects from having especially non-standard locale variables.
- AllowUsers tightens security. We set this to root and add others as the need arises.
- GSSAPIAuthentication no turns off several authentication methods which are not needed when using private/public keys or passwords. Reference: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
- PasswordAuthentication no or without-password disables login via password.
- PermitRootLogin no or without-password disables login via password. We always use without-password, sometimes globally and sometimes within Match Address conditional section(s).
- UsePrivilegeSeparation yes allows ssh to function in lxc containers . In LXCs only (otherwise we use the as-installed no). Otherwise ssh does not work.
- UsePAM no avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".
The message is caused by PAM's compiled-in retry limit being less than sshd's. - UseDNS no disables reverse DNS lookups to see if your hostname matches the IP address you are connecting from. Does not make sense with dynamic IP addresses.
...