OpenSSH has many capabilities not all of which are appropiate depending on your local policy. Configure OpenSSH to conform to your policy. OpenSSH is configured in three places: compilation (compile time), server configuration, and client configuration. Compile time configuration covers basic details such as which entropy source to use, the location of configuration files, and whether binaries are SUID. Compile time configuration has the advantage that it can not be overriden. Server configuration concerns how and to whom the OpenSSH server should present itself on the network. Server configuration details include which protocols and authentication methods are offered, which users have been granted access, and how much logging of each connection should be done. Server configuration can not be overridden by the client. Client configuration covers which server to communicate with, server verification, and user ease of use.
Configuration in order of precedence is: software compile time, the server configuration file (sshd_config), client command line options, individual client configuration file (~/.ssh/config), and the global client configuration file (ssh_config). The location of sshd_config and ssh_config vary depending upon compile time options. They are usually located in /etc, /etc/ssh, or /usr/local/etc.
A defensive in-depth strategy of setting the preferred configuration redundantly at compile time, server configuration, and client configuration is recommended. This reduces the chances that a single accidental misconfiguration will weaken the integrity of the system.
Example client and server configuration files that document the recommended configuration are presented later in this document. Not all of the options presented in the files are described in this document.