---

openssh_sshd_config_path: /etc/ssh

openssh_port: 22
openssh_address_family: any
openssh_listen_addresses:
  - 0.0.0.0

openssh_hostkeys:
  - /etc/ssh/ssh_host_ed25519_key
  - /etc/ssh/ssh_host_ecdsa_key
  - /etc/ssh/ssh_host_rsa_key

openssh_allow_groups: ssh
openssh_login_grace_time: 20
openssh_permit_root_login: 'no'
openssh_strict_modes: 'yes'
openssh_max_auth_tries: 3
openssh_max_sessions: 2

openssh_pubkey_authentication: 'yes'

openssh_authorized_keys_file: .ssh/authorized_keys

openssh_kexalgorithms:
  # Compliant with Mozilla Modern
  - curve25519-sha256@libssh.org
  - ecdh-sha2-nistp521
  - ecdh-sha2-nistp384
  - ecdh-sha2-nistp256
  - diffie-hellman-group-exchange-sha256

openssh_ciphers:
  # Compliant with Mozilla Modern
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

openssh_macs:
  # Compliant with Mozilla Modern
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256
  - umac-128@openssh.com

openssh_hostbased_authentication: 'no'
openssh_password_authentication: 'no'
openssh_permit_empty_passwords: 'no'
openssh_challenge_response_authentication: 'no'
openssh_kerberos_authentication: 'no'
openssh_gssapi_authentication: 'no'
openssh_use_pam: 'yes'

openssh_allow_agent_forwarding: 'no'
openssh_permit_tunnel: 'no'

openssh_x11_forwarding: 'no'

openssh_print_motd: 'no'

openssh_permit_user_env: false
openssh_accept_env:
  - LANG
  - 'LC_*'

openssh_banner: true
openssh_banner_file: /etc/issue.net

openssh_loglevel: "VERBOSE"