refraction-forger/images/files/etc/sshd_config

#
# Configuration file for sshd(1m) (see also sshd_config(4))
#

Protocol 2
Port 22

# If port forwarding is enabled (default), specify if the server can bind to
# INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
#Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_key

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
MaxAuthTries	6

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
# You probably also need to disable ChallengeResponseAuthentication.
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

PermitRootLogin without-password

# sftp subsystem
Subsystem	sftp	internal-sftp

IgnoreRhosts yes
Initial implementation of refraction-forger Standalone workspace with 4 crates for building optimized OS images and publishing to OCI registries: - spec-parser: KDL image spec parsing with include resolution and profile-based conditional filtering - forge-oci: OCI image creation (tar layers, manifests, Image Layout) and registry push via oci-client - forge-engine: Build pipeline with Phase 1 (rootfs assembly via native package managers with -R) and Phase 2 (QCOW2/OCI/artifact targets), plus dyn-compatible ToolRunner trait for external tool execution - forger: CLI binary with build, validate, inspect, push, and targets commands Ported KDL specs and overlay files from the vm-manager prototype. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-15 15:30:22 +01:00			`#`
			`# Configuration file for sshd(1m) (see also sshd_config(4))`
			`#`

			`Protocol 2`
			`Port 22`

			`# If port forwarding is enabled (default), specify if the server can bind to`
			`# INADDR_ANY.`
			`# This allows the local port forwarding to work when connections are received`
			`# from any remote host.`
			`GatewayPorts no`

			`# X11 tunneling options`
			`X11Forwarding yes`
			`X11DisplayOffset 10`
			`X11UseLocalhost yes`

			`# The maximum number of concurrent unauthenticated connections to sshd.`
			`# start:rate:full see sshd(1) for more information.`
			`# The default is 10 unauthenticated clients.`
			`#MaxStartups 10:30:60`

			`# Banner to be printed before authentication starts.`
			`#Banner /etc/issue`

			`# Should sshd print the /etc/motd file and check for mail.`
			`# On Solaris it is assumed that the login shell will do these (eg /etc/profile).`
			`PrintMotd no`

			`# KeepAlive specifies whether keep alive messages are sent to the client.`
			`# See sshd(1) for detailed description of what this means.`
			`# Note that the client may also be sending keep alive messages to the server.`
			`KeepAlive yes`

			`# Syslog facility and level`
			`SyslogFacility auth`
			`LogLevel info`

			`#`
			`# Authentication configuration`
			`#`

			`# Host private key files`
			`# Must be on a local disk and readable only by the root user (root:sys 600).`
			`# HostKey /etc/ssh/ssh_host_rsa_key`
			`# HostKey /etc/ssh/ssh_host_dsa_key`

			`# Ensure secure permissions on users .ssh directory.`
			`StrictModes yes`

			`# Length of time in seconds before a client that hasn't completed`
			`# authentication is disconnected.`
			`# Default is 600 seconds. 0 means no time limit.`
			`LoginGraceTime 600`

			`# Maximum number of retries for authentication`
			`MaxAuthTries 6`

			`# Are logins to accounts with empty passwords allowed.`
			`# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK`
			`# to pam_authenticate(3PAM).`
			`PermitEmptyPasswords no`

			`# To disable tunneled clear text passwords, change PasswordAuthentication to no.`
			`# You probably also need to disable ChallengeResponseAuthentication.`
			`PasswordAuthentication yes`

			`# Change to no to disable s/key passwords`
			`#ChallengeResponseAuthentication yes`

			`PermitRootLogin without-password`

			`# sftp subsystem`
			`Subsystem sftp internal-sftp`

			`IgnoreRhosts yes`