# {{ ansible_managed }} # Networking Port 22 TCPKeepAlive yes # Key exchange #KexAlgorithms curve25519-sha256@libssh.org, # diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256@libssh.org # Server authentication Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key # Not available in openssh 6.7 # HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Client authentication PasswordAuthentication {{ sshd_password_authentication }} ChallengeResponseAuthentication no PubkeyAuthentication yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # User Authentication {% if restrict_allow_users|default(True) %} AllowUsers {{ sshd_allow_users|join(' ') }} AllowGroups {{ sshd_allow_groups|join(' ') }} {% endif %} PermitRootLogin without-password LoginGraceTime 120 StrictModes yes # Not available in openssh 6.7 # PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Symmetric ciphers #Ciphers chacha20-poly1305@openssh.com, # aes256-gcm@openssh.com, # aes128-gcm@openssh.com, # aes256-ctr, # aes192-ctr, # aes128-ctr Ciphers chacha20-poly1305@openssh.com # Message authentication codes #MACs hmac-sha2-512-etm@openssh.com, # hmac-sha2-256-etm@openssh.com, # hmac-ripemd160-etm@openssh.com, # umac-128-etm@openssh.com, # hmac-sha2-512, # hmac-sha2-256, # hmac-ripemd160, # umac-128@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com # Allow client to pass locale environment variables AcceptEnv LANG LC_* PrintMotd no # sftp (required by ansible) Subsystem sftp /usr/lib/openssh/sftp-server # ETC