# --- MAIN ---

# Change default port 22 → {{ ssh_port }} (reduces noise from scanners)
Port {{ ssh_port }}

# Optionally limit interfaces (default is all)
# ListenAddress 0.0.0.0   # IPv4
# ListenAddress ::        # IPv6

# Allow only SSH protocol version 2 (v1 is insecure)
Protocol 2


# --- AUTHENTICATION ---

# Disable root login (only via sudo)
PermitRootLogin prohibit-password

# Disable password login (keys only)
PasswordAuthentication no

# Disable interactive keyboard auth (OTP, TOTP, etc.)
KbdInteractiveAuthentication no

# Disable challenge-response auth (legacy)
ChallengeResponseAuthentication no

# Enable public key authentication (main method)
PubkeyAuthentication yes


# --- ACCESS ---

# Allow only specific user
# AllowUsers adminuser
# Or alternatively allow a group:
# AllowGroups sshusers


# --- FUNCTION RESTRICTIONS ---

# Disallow empty passwords
PermitEmptyPasswords no

# Disallow user environment modification (~/.ssh/environment)
PermitUserEnvironment no

# Disable X11 forwarding (no GUI sessions)
X11Forwarding no

# Disable TCP forwarding (no tunnels)
AllowTcpForwarding yes

# Disable gateway ports (no external binding)
GatewayPorts no

# Disable VPN tunnels via SSH
PermitTunnel no

# Disable SSH agent forwarding
AllowAgentForwarding yes


# --- ANTI-BRUTEFORCE & STABILITY ---

# Login timeout (20 seconds)
LoginGraceTime 20

# Max 3 auth attempts per connection
MaxAuthTries 3

# Limit simultaneous connections
# Allow 10 new, start dropping at 30, max 60 queued
MaxStartups 10:30:60


# --- SESSION ACTIVITY ---

# Ping client every 300s (5 minutes)
ClientAliveInterval 300

# Disconnect if no response twice
ClientAliveCountMax 2

# Disable TCP keepalive
TCPKeepAlive no

# Skip DNS checks for faster login
UseDNS no


# --- SFTP ---

# Use internal SFTP subsystem
Subsystem sftp internal-sftp


# --- CRYPTOGRAPHY (optional) ---

# Modern key exchange algorithms (if supported)
# KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256

# Modern ciphers
# Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

# Modern MAC algorithms
# MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com