src.dualinventive.com/devops/ansible/roles/common/templates/sshd_config.j2

# {{ ansible_managed }}

Port 22
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

### From https://cipherli.st
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# We needed to add hmac-sha1 for jenkins...
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com,hmac-sha1
###

UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
UseDNS no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
UsePAM yes
Subsystem sftp internal-sftp

AuthorizedKeysCommand /var/cache/di/di-gogs-sshkeys.py
AuthorizedKeysCommandUser root

Match User root
	AuthenticationMethods publickey
	PubkeyAuthentication yes
	MaxSessions 1
	PasswordAuthentication no
	AllowTcpForwarding no
	PermitTunnel no
	X11Forwarding no

Match User ansible
	AuthenticationMethods publickey
	PubkeyAuthentication yes
	MaxSessions 10
	PasswordAuthentication no
	AllowTcpForwarding no
	PermitTunnel no
	X11Forwarding no

Match Group di-2fa
	PubkeyAuthentication no

Match Group sftp
	ForceCommand internal-sftp
	ChrootDirectory %h
	AuthorizedKeysFile /etc/ssh/authorized_keys/%u
	AllowTcpForwarding no
	PermitTunnel no
	X11Forwarding no