# Package generated configuration file
# See the sshd(8) manpage for defails

# add a file configuring port access for each connected node
Include /etc/ark/ssh/sshd_config.d/*.conf

# What ports, IPs and protocols we listen for
Port 44000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2

# present a host certificate
HostKey /etc/ark/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ark/ssh/ssh_host_ecdsa_key-cert.pub

# allow any clients that present a matching user certificate, which removes
# the need to store authorized_keys for each client
TrustedUserCAKeys /etc/ark/ssh/ssh_user_ca.pub
AuthorizedKeysFile none

PidFile /run/natp-sshd-container.pid

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
LoginGraceTime 10
StrictModes yes

PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

HostbasedAuthentication no

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no

PrintMotd no
PrintLastLog no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

UsePAM no

# Don't choke if we can't resolve the originating IP address via
# reverse-dns. In fact, don't try at all.
UseDNS no

# Do not add debian version to the protocol banner on the TCP port
DebianBanner no

# Disallow all the normal ssh stuff such as shell access
AllowAgentForwarding no
AllowStreamLocalForwarding no
ForceCommand echo 'This account can only be used for reverse-tunneling'
IgnoreRhosts yes
KbdInteractiveAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PermitOpen none
PermitRootLogin no
PermitTTY no
PermitTunnel no
PermitUserRC no
X11Forwarding no

# Allow -zero- shells or sftps
MaxSessions 0

# And if all that somehow doesn't work, lock them in a chroot jail
# think /var/chroot/natp-ssh-container is the better location, but lintian
# disagrees with that
#ChrootDirectory /var/chroot/natp-ssh-container/
ChrootDirectory /run/natp-sshd-container/

# Keep the idle connection alive through NATs. Promptly detect when the
# remote client has gone away without properly disconnecting.
TCPKeepAlive yes
ClientAliveCountMax 3
ClientAliveInterval 30

# Allow only authentication via public keys
PubkeyAuthentication yes

# Can try up to 3 keys before being rejected.
MaxAuthTries 3

# Allow the user to open a TCP port on the server which will be forwarded
# back to the originating machine. Do not allow forwarding from the
# client into the server's network ("remote" only).
AllowTcpForwarding remote
# GatewayPorts no # listen on 127.0.0.1 only
# GatewayPorts yes # listen on wildcard (0.0.0.0) only
GatewayPorts clientspecified # client chooses listen-on address

# Expect user names to be in the city-countrycode format, e.g. sea3-us
# All other users in /etc/passwd will be denied.
AllowUsers *-??

# Deny Listen unless a user is matched with specific config
PermitListen none
