integ/connectivity/openssh/files/sshd-security-hardening-and-disabling-password-based-rootssh.patch

---
 sshd_config |   27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

--- a/sshd_config
+++ b/sshd_config
@@ -33,14 +33,14 @@ Protocol 2
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
-#LogLevel INFO
+LogLevel INFO
 
 # Authentication:
 
-#LoginGraceTime 2m
-#PermitRootLogin yes
+LoginGraceTime 1m
+PermitRootLogin without-password
 #StrictModes yes
-#MaxAuthTries 6
+MaxAuthTries 4
 #MaxSessions 10
 
 #RSAAuthentication yes
@@ -59,7 +59,7 @@ Protocol 2
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
@@ -85,10 +85,10 @@ ChallengeResponseAuthentication no
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes 
 
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
+AllowAgentForwarding no
+AllowTcpForwarding no
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -96,18 +96,19 @@ UsePAM yes
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation yes
-#PermitUserEnvironment no
+PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
 ClientAliveCountMax 4
-#UseDNS yes
+# Make SSH connect faster on bootup
+UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
 #PermitTunnel no
 #ChrootDirectory none
 
-# no default banner path
-#Banner none
+# default banner path
+Banner /etc/issue.net
 
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
@@ -117,3 +118,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
+DenyUsers admin secadmin operator
+