sshd_config diff Ubuntu 16.04 default vs module configured

gistfile1.txt

# diff /tmp/sshd_config.bak /etc/ssh/sshd_config
1,2c1,2
< # Package generated configuration file
< # See the sshd_config(5) manpage for details
---
> # This file is being maintained by Puppet.
> # DO NOT EDIT
4c4,16
< # What ports, IPs and protocols we listen for
---
> # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
>
> #Port 22
6,8c18
< # Use these options to restrict which interfaces/protocols sshd will bind to
< #ListenAddress ::
< #ListenAddress 0.0.0.0
---
> #Protocol 2,1
9a20,24
> #AddressFamily any
> AddressFamily any
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
10a26,27
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
15,16d31
< #Privilege Separation is turned on for security
< UsePrivilegeSeparation yes
19c34,35
< KeyRegenerationInterval 3600
---
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
21d36
<
22a38,39
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
23a41
> #LogLevel INFO
26a45,46
>
> #LoginGraceTime 120
28c48,50
< PermitRootLogin prohibit-password
---
> #PermitRootLogin yes
> PermitRootLogin no
> #StrictModes yes
29a52
> #MaxAuthTries 6
31c54,55
< RSAAuthentication yes
---
> #RSAAuthentication yes
> #PubkeyAuthentication yes
33c57
< #AuthorizedKeysFile  	%h/.ssh/authorized_keys
---
> #AuthorizedKeysFile .ssh/authorized_keys
35,38c59,60
< # Don't read the user's ~/.rhosts and ~/.shosts files
< IgnoreRhosts yes
< # For this to work you will also need host keys in /etc/ssh_known_hosts
< RhostsRSAAuthentication no
---
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
39a62
> #HostbasedAuthentication no
41,49c64,70
< # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
< #IgnoreUserKnownHosts yes
<
< # To enable empty passwords, change to yes (NOT RECOMMENDED)
< PermitEmptyPasswords no
<
< # Change to yes to enable challenge-response passwords (beware issues with
< # some PAM modules and threads)
< ChallengeResponseAuthentication no
---
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> IgnoreRhosts yes
51,52c72,79
< # Change to no to disable tunnelled clear text passwords
< PasswordAuthentication no
---
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication yes
55,56d81
< #KerberosAuthentication no
< #KerberosGetAFSToken no
58a84
> #KerberosGetAFSToken no
61a88
> GSSAPIAuthentication yes
62a90,101
> GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication mechanism.
> # Depending on your PAM configuration, this may bypass the setting of
> # PasswordAuthentication, PermitEmptyPasswords, and
> # "PermitRootLogin without-password". If you just want the PAM account and
> # session checks to run without PAM authentication, then enable this but set
> # ChallengeResponseAuthentication=no
> #UsePAM no
> UsePAM yes
63a103,110
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
> #AllowTcpForwarding yes
> AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
65,67c112,117
< X11DisplayOffset 10
< PrintMotd no
< PrintLastLog yes
---
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
69a120,138
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> ClientAliveInterval 0
> ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10:30:100
> #MaxSessions 10
>
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner none
> Banner none
71,76c140
< #MaxStartups 10:30:60
< #Banner /etc/issue.net
<
< # Allow client to pass locale environment variables
< AcceptEnv LANG LC_*
<
---
> # override default of no subsystems
79,88d142
< # Set this to 'yes' to enable PAM authentication, account processing,
< # and session processing. If this is enabled, PAM authentication will
< # be allowed through the ChallengeResponseAuthentication and
< # PasswordAuthentication.  Depending on your PAM configuration,
< # PAM authentication via ChallengeResponseAuthentication may bypass
< # the setting of "PermitRootLogin without-password".
< # If you just want the PAM account and session checks to run without
< # PAM authentication, then enable this but set PasswordAuthentication
< # and ChallengeResponseAuthentication to 'no'.
< UsePAM yes