--- sshd_protocol: 2 sshd_permit_root_login: "yes" sshd_permit_empty_passwords: "no" sshd_password_authentication: "no" sshd_gssapi_authentication: "no" sshd_strict_modes: "yes" sshd_allow_groups: [] sshd_ignore_rhosts: "yes" sshd_hostbased_authentication: "no" sshd_client_alive_interval: 900 sshd_client_alive_count_max: 0 sshd_ciphers: - chacha20-poly1305@openssh.com - aes256-gcm@openssh.com - aes128-gcm@openssh.com - aes256-ctr - aes192-ctr - aes128-ctr sshd_kex: - curve25519-sha256@libssh.org - diffie-hellman-group-exchange-sha256 sshd_moduli_minimum: 2048 sshd_macs: - hmac-sha2-512-etm@openssh.com - hmac-sha2-256-etm@openssh.com - umac-128-etm@openssh.com - hmac-sha2-512 - hmac-sha2-256 - umac-128@openssh.com sshd_allow_agent_forwarding: "no" sshd_x11_forwarding: "yes" sshd_allow_tcp_forwarding: "yes" sshd_compression: delayed sshd_log_level: INFO sshd_max_auth_tries: 6 sshd_max_sessions: 10 sshd_tcp_keep_alive: "yes" sshd_use_dns: "no" sshd_rekey_limit_size: "1G" sshd_rekey_limit_time: "1h" sshd_crypto_policy_enabled: True # @var sshd_challenge_response_authentication:description: > # If you disable password auth you should disable ChallengeResponseAuth also. # @end sshd_challenge_response_authentication: "no" # @var sshd_google_auth_enabled:description: > # Google Authenticator required ChallengeResponseAuth! # @end sshd_google_auth_enabled: False # @var sshd_google_auth_exclude_group:description: Exclude a group from 2FA auth # @var sshd_google_auth_exclude_group:example: $ "my_group" # @var sshd_google_auth_exclude_group: $ "_unset_"