---
sshd_packages:
  - net-misc/openssh
sshd_sftp_server: /usr/lib64/misc/sftp-server
__sshd_defaults:
  Subsystem: "sftp {{ sshd_sftp_server }}"
  # Replace tcp keepalive with unspoofable keepalive
  TCPKeepAlive: no
  ClientAliveInterval: 300
  ClientAliveCountMax: 2
  # Secure cipher and algorithm settings
  HostKey:
    - /etc/ssh/ssh_host_ed25519_key
    - /etc/ssh/ssh_host_rsa_key
  HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com"
  KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
  Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
  MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
  AuthorizedKeysFile: .ssh/authorized_keys
  # Security settings
  PasswordAuthentication: no
  ChallengeResponseAuthentication: no
  PermitRootLogin: no
  # Login settings
  UsePAM: yes
  PrintMotd: no
  PrintLastLog: yes
  # Disable most forwarding types for more security
  AllowAgentForwarding: no
  AllowTcpForwarding: no
  AllowStreamLocalForwarding: no
__sshd_os_supported: yes