---
# SSH server configuration
ssh_port: 22
ssh_listen_addresses: ['0.0.0.0']
# Security defaults - hardened by default
# Override in group_vars for dev/desktop machines if needed
ssh_permit_root_login: 'prohibit-password'  # Allow root only with keys, not passwords
ssh_password_authentication: 'no'  # Disable password auth by default (use keys)
ssh_pubkey_authentication: 'yes'
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
ssh_max_sessions: 10
ssh_allowed_users: []  # Restrict to specific users
ssh_allowed_groups: ['sudo']

# Security hardening
ssh_kex_algorithms:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group16-sha512
ssh_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
ssh_macs:
  - hmac-sha2-256-etm@openssh.com
  - hmac-sha2-512-etm@openssh.com

# Additional security settings
ssh_protocol: 2
ssh_use_dns: 'no'
ssh_permit_empty_passwords: 'no'
ssh_challenge_response_auth: 'no'
ssh_gss_api_authentication: 'no'
ssh_x11_forwarding: 'no'
ssh_print_motd: 'no'
ssh_tcp_keep_alive: 'yes'
ssh_compression: 'no'

# Log level (QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3)
ssh_log_level: 'INFO'

# Maximum number of concurrent unauthenticated connections
ssh_max_startups: '10:30:100'

# Timeout for authentication
ssh_login_grace_time: '2m'