# Standard sshd config of Jannik Beyerstedt

Protocol 2
#Port 4422
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Ciphers and keying
#RekeyLimit default none
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Logging
#SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
#LoginGraceTime 2m
{% if 'root' == ansible_user_id %}
PermitRootLogin yes
{% else %}
PermitRootLogin no
{% endif %}
#StrictModes yes
MaxAuthTries 2
MaxSessions 2

IgnoreRhosts yes

# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

UsePAM yes

AllowAgentForwarding no
AllowTcpForwarding yes
PermitOpen any
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveCountMax 2
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
{% if ((override_os_family is defined) | ternary(override_os_family,ansible_os_family)) == 'Centos' %}
Subsystem sftp  /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
{% elif ((override_os_family is defined) | ternary(override_os_family,ansible_os_family)) == 'FreeBSD' %}
Subsystem sftp  /usr/libexec/sftp-server
{% else %}
Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
{% endif %}

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server