# Hardened SSH Configuration
# Generated by Ansible - Do not edit manually

# Network
Port {{ ssh_port }}
AddressFamily inet
ListenAddress {{ ssh_listen_address }}

# Authentication
PermitRootLogin {{ ssh_permit_root_login }}
PubkeyAuthentication {{ ssh_pubkey_authentication }}
PasswordAuthentication {{ ssh_password_authentication }}
ChallengeResponseAuthentication {{ ssh_challenge_response_auth }}
UsePAM yes
MaxAuthTries {{ ssh_max_auth_tries }}

{% if ssh_allowed_users | length > 0 %}
AllowUsers {{ ssh_allowed_users | join(' ') }}
{% endif %}

# Cryptography
Ciphers {{ ssh_ciphers | join(',') }}
MACs {{ ssh_macs | join(',') }}
KexAlgorithms {{ ssh_kex_algorithms | join(',') }}

# Features
X11Forwarding {{ ssh_x11_forwarding }}
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
PermitUserEnvironment no
Compression no
ClientAliveInterval {{ ssh_client_alive_interval }}
ClientAliveCountMax {{ ssh_client_alive_count_max }}
UseDNS no
PermitTunnel no
Banner /etc/issue.net

# Subsystems
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

# Logging
SyslogFacility AUTH
LogLevel VERBOSE