# Attention, do not make changes # {{ ansible_managed }} # Networking Port {{ ssh_port }} TCPKeepAlive yes # Key exchange #KexAlgorithms curve25519-sha256@libssh.org, # diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256@libssh.org{% if use_diffie_hellman_group_exchange_sha256 %},diffie-hellman-group-exchange-sha256{% endif %} # Server authentication Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key {% if generate_ecdsa_too %} HostKey /etc/ssh/ssh_host_ecdsa_key {% endif %} # Not available in openssh 6.7 # HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Client authentication PasswordAuthentication {{ sshd_password_authentication }} ChallengeResponseAuthentication no PubkeyAuthentication yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # User Authentication {% if restrict_allow_users|default(True) %} AllowUsers {{ sshd_allow_users|join(' ') }} AllowGroups {{ sshd_allow_groups|join(' ') }} {% endif %} PermitRootLogin without-password LoginGraceTime 120 StrictModes yes # Not available in openssh 6.7 {% if only_allow_ed25519 == false %}# {% endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Symmetric ciphers #Ciphers chacha20-poly1305@openssh.com, # aes256-gcm@openssh.com, # aes128-gcm@openssh.com, # aes256-ctr, # aes192-ctr, # aes128-ctr Ciphers chacha20-poly1305@openssh.com{% if use_aes256_ctr %},aes256-ctr{% endif %} # Message authentication codes #MACs hmac-sha2-512-etm@openssh.com, # hmac-sha2-256-etm@openssh.com, # hmac-ripemd160-etm@openssh.com, # umac-128-etm@openssh.com, # hmac-sha2-512, # hmac-sha2-256, # hmac-ripemd160, # umac-128@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com{% if use_hmac_sha2_512 %},hmac-sha2-512{% endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* PrintMotd no # sftp (required by ansible) Subsystem sftp /usr/lib/openssh/sftp-server # ETC