sshd - Add safety measures to the default installed sshd_config
* Uncomment various sshd_config options to enforce their defaults.
This does not make any changes to the current defaults but ensures that
the configuration state for these particular options will not change
if the default happens to be changed in the distributed codebase.
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
* Change the ChallengeResponseAuthentication default from 'yes' to 'no'.
This only applies to PAM and PAM is disabled by default so this change
has no effect unless PAM is enabled by default at some future time.
* For now leave UsePAM commented out, do not enforce its default 'no' state.
The changes above will make it safe if the codebase default changes in
the future. The codebase default is currently 'no'.
* Note that we previously also changed the PasswordAuthentication default
to 'no', so everything is on the same page now.
Suggested-by: Doug Barton <dougb@freebsd.org> (generally)