---

ssh_client_settings:
#  Host:
#    - Host: "*"
#      SendEnv: LANG LC_*
#      HashKnownHosts: yes
  ForwardAgent: yes
  HashKnownHosts: yes


ssh_server_settings:
  Port: 22
  Protocol: 2
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
    - /etc/ssh/ssh_host_ecdsa_key
    - /etc/ssh/ssh_host_ed25519_key
  SyslogFacility: AUTH
  LogLevel: INFO
  PermitRootLogin: prohibit-password
  PubkeyAuthentication: yes
  PermitEmptyPasswords: no
  AuthenticationMethods publickey,keyboard-interactive
  ChallengeResponseAuthentication: yes
  PasswordAuthentication: no
  X11Forwarding: no
  PrintMotd: no
  PrintLastLog: yes
  AcceptEnv: LANG LC_*
  Subsystem:
    - sftp /usr/lib/openssh/sftp-server
  UsePAM: yes

  # Hardened cipher list
  KexAlgorithms: curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
  Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
  HostKeyAlgorithms: ssh-rsa,ssh-ed25519

#  Match:
#    - Match: "*"
#      AllowAgentForwarding: yes