Here's a patch I run against my new setups (as a part of a larger config script) to disable root SSH, allow only public/private key access (no passwords) and set up a template for when I want to allow a sub contractor SFTP-only access to a chroot directory.
Code:
--- sshd_config~ Wed Jan 28 23:45:17 2009
+++ sshd_config Wed Jan 28 23:47:54 2009
@@ -36,7 +36,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin yes
+PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
@@ -56,7 +56,7 @@
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -97,10 +97,9 @@
#Banner none
# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp internal-sftp
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# ForceCommand cvs server
+# Match User ______
+# ForceCommand internal-sftp
+# ChrootDirectory /var/www
+