# This is used by sshd in default VRF to receive configuration updates. Lock
# down to only allow executing the update script.

# Only allow pubkey auth.
KbdInteractiveAuthentication no
PasswordAuthentication no
PermitRootLogin prohibit-password

# Disable what we can.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

# And then disable everything else.
ForceCommand /usr/local/bin/update