---
sshd_protocol: 2
sshd_permit_root_login: "yes"
sshd_permit_empty_passwords: "no"
sshd_password_authentication: "no"
sshd_gssapi_authentication: "no"
sshd_strict_modes: "yes"
sshd_allow_groups: []
sshd_ignore_rhosts: "yes"
sshd_hostbased_authentication: "no"
sshd_client_alive_interval: 900
sshd_client_alive_count_max: 0

sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

sshd_kex:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

sshd_moduli_minimum: 2048

sshd_macs:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256
  - umac-128@openssh.com

sshd_allow_agent_forwarding: "no"
sshd_x11_forwarding: "yes"
sshd_allow_tcp_forwarding: "yes"
sshd_compression: delayed
sshd_log_level: INFO
sshd_max_auth_tries: 6
sshd_max_sessions: 10
sshd_tcp_keep_alive: "yes"
sshd_use_dns: "no"
sshd_login_grace_time: 60
sshd_max_startups: "10:30:60"

sshd_crypto_policy_enabled: True

# @var sshd_challenge_response_authentication:description: >
# If you disable password auth you should disable ChallengeResponseAuth also.
# @end
sshd_challenge_response_authentication: "no"

# @var sshd_google_auth_enabled:description: >
# Google Authenticator required ChallengeResponseAuth!
# @end
sshd_google_auth_enabled: False
# @var sshd_google_auth_exclude_group:description: Exclude a group from 2FA auth
# @var sshd_google_auth_exclude_group:example: $ "my_group"
# @var sshd_google_auth_exclude_group: $ "_unset_"