# {{ansible_managed}}

#
# upstream features - https://man.openbsd.org/sshd_config
#

# accept locale-related environment variables
AcceptEnv LANG LC_*

# defined possible sshusers then parsed by sysprep/sshd subrole
AllowGroups sshusers

## powered by users role
#AuthorizedKeysFile /etc/ssh/authorized_keys/%u

# kill idling sessions after one and half hour
ClientAliveInterval 5400

# default is yes
KbdInteractiveAuthentication no

# ipv4 only
ListenAddress 0.0.0.0

# default is 120s
LoginGraceTime 30s

# default is 6
MaxAuthTries 3

# default is yes
PasswordAuthentication no

# defined permit_root_login with ansible
PermitRootLogin {{permit_root_login}}

# defined sshd_port with ansible
Port {{sshd_port}}

# default is yes
PrintMotd no

# enable sftp
Subsystem sftp {{sftp_subsystem_path}}

#
# distribution-specific features
#

# avoid warnings about deprecated reading of user environment
# (/etc/pam.d/sshd:user_readenv=1)
UsePAM no