--- __sshd_packages: - net-misc/openssh __sshd_sftp_server: /usr/lib64/misc/sftp-server __sshd_defaults: Subsystem: "sftp {{ __sshd_sftp_server }}" # Replace tcp keepalive with unspoofable keepalive TCPKeepAlive: no ClientAliveInterval: 300 ClientAliveCountMax: 2 # Secure cipher and algorithm settings HostKey: - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com" KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" AuthorizedKeysFile: .ssh/authorized_keys # Security settings PasswordAuthentication: no ChallengeResponseAuthentication: no PermitRootLogin: no # Login settings UsePAM: yes PrintMotd: no PrintLastLog: yes # Disable most forwarding types for more security AllowAgentForwarding: no AllowTcpForwarding: no AllowStreamLocalForwarding: no __sshd_os_supported: yes