# Based on https://infosec.mozilla.org/guidelines/openssh secure configuration guide

Include /etc/ssh/sshd_config.d/*.conf

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

LogLevel VERBOSE

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 5
MaxSessions 8

PubkeyAuthentication yes

PasswordAuthentication no
PermitEmptyPasswords no

KbdInteractiveAuthentication no

KerberosAuthentication no
GSSAPIAuthentication no

UsePAM yes

AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server