---- openssh-4.6p1/sshd_config~ 2007-10-13 01:37:17.000000000 +0200
-+++ openssh-4.6p1/sshd_config 2007-10-13 01:47:12.000000000 +0200
-@@ -34,6 +35,7 @@
-
- #LoginGraceTime 2m
- #PermitRootLogin yes
-+PermitRootLogin no
- #StrictModes yes
- #MaxAuthTries 6
-
-@@ -50,10 +51,13 @@
- #IgnoreUserKnownHosts no
- # Don't read the user's ~/.rhosts and ~/.shosts files
- #IgnoreRhosts yes
-+IgnoreRhosts yes
-
- # To disable tunneled clear text passwords, change to no here!
- #PasswordAuthentication yes
- #PermitEmptyPasswords no
-+PasswordAuthentication yes
-+PermitEmptyPasswords no
-
- # Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
-@@ -66,6 +67,8 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+GSSAPIAuthentication yes
-+GSSAPICleanupCredentials yes
-
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-@@ -89,10 +89,12 @@
- # If you just want the PAM account and session checks to run without
- # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
--#UsePAM no
-+UsePAM yes
-
- #AllowAgentForwarding yes
--#AllowTcpForwarding yes
-+# Security advisory:
-+# http://securitytracker.com/alerts/2004/Sep/1011143.html
-+AllowTcpForwarding no
- #GatewayPorts no
- #X11Forwarding no
- #X11DisplayOffset 10
-@@ -106,6 +109,9 @@
- # no default banner path
- #Banner /some/path
-
-+# Accept locale-related environment variables
-+AcceptEnv LANG LC_* LANGUAGE TZ
+diff -ur openssh-9.5p1.org/ssh_config openssh-9.5p1/ssh_config
+--- openssh-9.5p1.org/ssh_config 2023-10-04 06:34:10.000000000 +0200
++++ openssh-9.5p1/ssh_config 2023-11-28 09:12:00.249971177 +0100
+@@ -44,3 +44,6 @@
+ # ProxyCommand ssh -q -W %h:%p gateway.example.com
+ # RekeyLimit 1G 1h
+ # UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+
- # override default of no subsystems
- Subsystem sftp /usr/libexec/sftp-server
-
---- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200
-+++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200
-@@ -20,12 +20,15 @@
- # Host *
- # ForwardAgent no
- # ForwardX11 no
-+# ForwardX11Trusted yes
- # RhostsRSAAuthentication no
- # RSAAuthentication yes
- # PasswordAuthentication yes
- # HostbasedAuthentication no
- # GSSAPIAuthentication no
- # GSSAPIDelegateCredentials no
-+# GSSAPIKeyExchange no
-+# GSSAPITrustDNS no
- # BatchMode no
- # CheckHostIP yes
- # AddressFamily any
-@@ -42,3 +45,19 @@
- # Tunnel no
- # TunnelDevice any:any
- # PermitLocalCommand no
++# Put your local config in *.conf files
++Include /etc/ssh/ssh_config.d/*.conf
+diff -ur openssh-9.5p1.org/sshd_config openssh-9.5p1/sshd_config
+--- openssh-9.5p1.org/sshd_config 2023-10-04 06:34:10.000000000 +0200
++++ openssh-9.5p1/sshd_config 2023-11-28 09:12:18.119971176 +0100
+@@ -114,3 +114,6 @@
+ # AllowTcpForwarding no
+ # PermitTTY no
+ # ForceCommand cvs server
+
-+Host *
-+ GSSAPIAuthentication yes
-+ GSSAPIDelegateCredentials no
-+ ForwardAgent no
-+ ForwardX11 no
-+# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 display. As virtually no X11 client supports the untrusted
-+# mode correctly we set this to yes.
-+ ForwardX11Trusted yes
-+ StrictHostKeyChecking no
-+ ServerAliveInterval 60
-+ ServerAliveCountMax 10
-+ TCPKeepAlive no
-+# Send locale-related environment variables
-+ SendEnv LANG LC_* LANGUAGE TZ
++# Put your local config in *.conf files
++Include /etc/ssh/sshd_config.d/*.conf