# Attention, local changew will be overwritten
# MIT (C) L3D
# {{ ansible_managed }}

# Networking
Port {{ sshd.port }}

TCPKeepAlive yes

# Key exchange
{{ 'KexAlgorithms ' }}
{%- for algo in sshd.kex_algorithmus -%}
{{ algo }}{{ "," if not loop.last }}
{%- endfor %}


# Ciphers:
{{ 'Ciphers ' }}
{%- for cipher in sshd.ciphers -%}
{{ cipher }}{{ "," if not loop.last }}
{%- endfor %}


# Macs
{{ 'MACs ' }}
{%- for mac in sshd.macs -%}
{{ mac }}{{ "," if not loop.last }}
{%- endfor %}

# Server authentication
Protocol 2

{% if sshd.manage_key_types | bool -%}
# host key types
{% for key in sshd.key_types %}
HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %}
{%- endif %}


# HostKeyAlgorithms
# Maybe not available in openssh 6.7
{{ 'HostKeyAlgorithms ' }}
{%- for key in sshd.key_algorithmus -%}
{{ key }}{{ "," if not loop.last }}
{%- endfor %}


# Client authentication
PasswordAuthentication
{%- if sshd.password_authentication | bool -%}
  {{ ' yes' }}
{% else -%}
  {{ ' no' }}
{% endif %}
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes

# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# User Authentication
{% if sshd.restrict_users -%}
  AllowUsers {{ sshd_allowed_users|join(' ') }}
{%- endif %}
{% if sshd.restrict_groups -%}
  AllowUsers {{ sshd_allowed_groups|join(' ') }}
{%- endif %}

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

PrintMotd no

# sftp (required by ansible)
# Subsystem sftp /usr/lib/openssh/sftp-server
{% if ansible_os_family == 'RedHat' %}
Subsystem sftp /usr/libexec/openssh/sftp-server
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}