#jinja2: lstrip_blocks: True
# {{ ansible_managed }}

ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication no
PermitRootLogin no

# Allow specific users only
AllowUsers {% for item in ssh_users %}{{ item.name }} {% endfor %}

# Sicherheit und Allgemeines
LoginGraceTime 2m
ClientAliveInterval 600
StrictModes yes
AllowTcpForwarding no
AllowStreamLocalForwarding no
X11Forwarding no

## Ciphers (01.2024, ssh-audit and https://www.ssh.com/academy/ssh/sshd_config#cryptographic-policy)
# Encryption algorithms (ciphers)
Ciphers aes256-ctr,aes128-ctr,aes192-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
# Host-key algorithms
HostKeyAlgorithms rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-dss
# Key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# Message authentication code (MAC) algorithms
MACs hmac-sha2-512,hmac-sha2-256