---
__sshd_packages:
  - net-misc/openssh
__sshd_sftp_server: /usr/lib64/misc/sftp-server
__sshd_defaults:
  Subsystem: "sftp {{ __sshd_sftp_server }}"
  # Replace tcp keepalive with unspoofable keepalive
  TCPKeepAlive: false
  ClientAliveInterval: 300
  ClientAliveCountMax: 2
  # Secure cipher and algorithm settings
  HostKey:
    - /etc/ssh/ssh_host_ed25519_key
    - /etc/ssh/ssh_host_rsa_key
  HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com"
  KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
  Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
  MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
  AuthorizedKeysFile: .ssh/authorized_keys
  # Security settings
  PasswordAuthentication: false
  ChallengeResponseAuthentication: false
  PermitRootLogin: false
  # Login settings
  UsePAM: true
  PrintMotd: false
  PrintLastLog: true
  # Disable most forwarding types for more security
  AllowAgentForwarding: false
  AllowTcpForwarding: false
  AllowStreamLocalForwarding: false
__sshd_os_supported: true