# Attention, do not make changes
# {{ ansible_managed }}

# Networking
Port {{ ssh_port }}

TCPKeepAlive yes

# Key exchange
#KexAlgorithms curve25519-sha256@libssh.org,
#              diffie-hellman-group-exchange-sha256
{% if ansible_distribution_release == 'wheezy' -%}
  KexAlgorithms diffie-hellman-group-exchange-sha256
{%- else -%}
  KexAlgorithms diffie-hellman-group-exchange-sha256
  {%- if use_diffie_hellman_group_exchange_sha256 -%}
    ,diffie-hellman-group-exchange-sha256
  {%- endif -%}
{%- endif %}

# Server authentication
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
{% if generate_ecdsa_too %}
HostKey /etc/ssh/ssh_host_ecdsa_key
{% endif %}
# Not available in openssh 6.7
# HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519

# Client authentication
PasswordAuthentication {{ sshd_password_authentication }}
ChallengeResponseAuthentication no
PubkeyAuthentication yes

# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# User Authentication
{% if restrict_allow_users|default(True) %}
AllowUsers {{ sshd_allow_users|join(' ') }}
AllowGroups {{ sshd_allow_groups|join(' ') }}
{% endif %}
PermitRootLogin without-password

LoginGraceTime 120

StrictModes yes

# Not available in openssh 6.7
{% if only_allow_ed25519 == false %}# {%
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519

# Symmetric ciphers
#Ciphers chacha20-poly1305@openssh.com,
#        aes256-gcm@openssh.com,
#        aes128-gcm@openssh.com,
#        aes256-ctr,
#        aes192-ctr,
#        aes128-ctr
{% if ansible_distribution_release == 'wheezy' -%}
  Ciphers aes192-ctr,aes256-ctr,arcfour256
{%- else -%}
  Ciphers chacha20-poly1305@openssh.com
  {%- if use_aes256_ctr -%}
    ,aes256-ctr
  {%- endif -%}
{%- endif %}


# Message authentication codes
#MACs hmac-sha2-512-etm@openssh.com,
#     hmac-sha2-256-etm@openssh.com,
#     hmac-ripemd160-etm@openssh.com,
#     umac-128-etm@openssh.com,
#     hmac-sha2-512,
#     hmac-sha2-256,
#     hmac-ripemd160,
#     umac-128@openssh.com
{% if ansible_distribution_release == 'wheezy' -%}
  MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
{%- else -%}
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
  {%- if use_hmac_sha2_512 -%}
    ,hmac-sha2-512
  {%- endif -%}
{%- endif %}

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

PrintMotd no

# sftp (required by ansible)
Subsystem sftp /usr/lib/openssh/sftp-server

# ETC