...
If a parameter is set twice, it may be the first value in the file which is effective! Found Experiment showed that was true for PermitRootLogin . Found not to be true and not for UsePAM. More information in BLAVORG-590For simplicity we decided not to have any parameter's set twice.
A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.
Explanation of some of the recommended changes"
PasswordAuthentication
no
...
- or without-password disables login via password.
...
UsePAM
no
...
- avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".
The message is caused by PAM's compiled-in retry limit being less than sshd's.
...
UseDNS
no
...
- disables reverse DNS lookups to see if your hostname matches the IP
...
- address you are connecting from. Does not make sense with dynamic
...
- IP addresses.
...
GSSAPIAuthentication
no
...
- turns off several authentication methods which are not needed when using private/public keys or passwords.
...
...
Compression
yes
...
- enhances throughput, as long as the CPU is not slow or overloaded.
/etc/default/ssh
root@localhost:~# diff
/etc/default
/ssh{.org,}5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0
...