# Logging
LogLevel VERBOSE
SyslogFacility AUTH


# Authentication
PermitRootLogin no
StrictModes yes

AuthenticationMethods publickey
PubkeyAuthentication yes


# Disable Other Authentication Methods
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
KbdInteractiveAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no


# Certificates
AuthorizedKeysFile none
TrustedUserCAKeys /etc/ssh/ca.pub
AuthorizedPrincipalsFile /etc/ssh/principals/%u

HostKey /etc/ssh/ssh_host_rsa_key
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub 


# Capability Limits
AllowAgentForwarding no
AllowStreamLocalForwarding no
AllowTcpForwarding no

GatewayPorts no

PermitListen none
PermitOpen none

PermitTunnel no
PermitUserEnvironment no
PermitUserRC no

PrintMotd no

X11Forwarding no
X11UseLocalhost yes


# Interactive Terminal
PermitTTY yes


# Rate Limit
LoginGraceTime 20
MaxAuthTries 3
MaxSessions 10
MaxStartups 10:30:100