# Standard sshd config of Jannik Beyerstedt Protocol 2 #Port 4422 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Ciphers and keying #RekeyLimit default none KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # Logging #SyslogFacility AUTH LogLevel VERBOSE # Authentication: #LoginGraceTime 2m {% if 'root' == ansible_user_id %} PermitRootLogin yes {% else %} PermitRootLogin no {% endif %} #StrictModes yes MaxAuthTries 2 MaxSessions 2 IgnoreRhosts yes # Password based logins are disabled - only public key based logins are allowed. AuthenticationMethods publickey PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding no AllowTcpForwarding no #GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 ClientAliveCountMax 2 UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. {% if ((override_os_family is defined) | ternary(override_os_family,ansible_os_family)) == 'Centos' %} Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO {% else %} Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO {% endif %} # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server