diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 153a5ca..4e9100b 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -114,7 +114,7 @@ sshd_host_keys:
 
 sshd_max_startups: !!str "10:30:100"
 
-sshd_max_auth_tries: 3
+sshd_max_auth_tries: 6
 
 sshd_max_sessions: 10
 
@@ -1472,6 +1472,7 @@ remove_samba_users: []
 #      group_write_list: mbr-finanzen
 #      vfs_object_recycle: true
 #      recycle_path: '@Recycle.Bin'
+#      vfs_object_recycle_is_visible: false
 #
 samba_shares: []
 
diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2
index d28c666..d5d57bb 100644
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@@ -67,7 +67,7 @@
 # This can be either the interface name or an IP address/netmask;
 # interface names are normally preferred
 ;   interfaces = 127.0.0.0/8 eth0
-   interfaces =   {{ samba_server_ip }}/{{ samba_server_cidr_prefix }} 127.0.0.1/8
+   interfaces =  {{ samba_server_ip }}/{{ samba_server_cidr_prefix }}  127.0.0.1/8
 
 # Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf 
    hosts deny = 0.0.0.0/0
@@ -337,7 +337,7 @@
 {%  else %}
    read only = no
 {%  endif %}
-{%  if item.writeable is defined and item.writeable |length > 0 %}
+{%  if item.writeable is defined and item.writeable|length > 0 %}
    writeable = {{ item.writeable }}
 {%  else %}
    writeable = yes
@@ -399,14 +399,18 @@
    # - included in the entry. '*' and '?' can be used to  specify multiple files or
    # - directories as in DOS wildcards.
    # -
+{%         if item.vfs_object_recycle_is_visible is defined and item.vfs_object_recycle_is_visible|bool %}
+   veto files = /.DS_Store/
+{%         else %}
    veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
+{%         endif %}
    delete veto files = yes
-{%       else %}
+{%      else %}
 
-{%       endif %}
-{%    else %}
+{%      endif %}
+{%   else %}
 
-{%    endif %}
+{%   endif %}
 
 {% endfor %}
 
diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2
index 9fdf72b..2b85304 100644
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@@ -144,9 +144,15 @@ PasswordAuthentication {{ sshd_password_authentication }}
 # The default is “no”.
 PermitEmptyPasswords no
 
+{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+{% else %}
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
 # The default is “yes”.
 ChallengeResponseAuthentication no
+{% endif %}
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
@@ -389,10 +395,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Subsystem sftp /usr/lib/openssh/sftp-server
 {% endif %}
 
-# Specifies whether sshd(8) should look up the remote host name and check 
-# that the resolved host name for the remote IP address maps back to the 
+# Specifies whether sshd(8) should look up the remote host name and check
+# that the resolved host name for the remote IP address maps back to the
 # very same IP address.
-# The default is “yes”.
+# The default is 'yes'.
 UseDNS {{ sshd_use_dns }}
 
 # Specifies whether X11 forwarding is permitted. The argument must be 
@@ -405,12 +411,12 @@ UseDNS {{ sshd_use_dns }}
 # The default is 10.
 X11DisplayOffset 10
 
-# Specifies whether the system should send TCP keepalive messages to the 
-# other side. If they are sent, death of the connection or crash of one 
+# Specifies whether the system should send TCP keepalive messages to the
+# other side. If they are sent, death of the connection or crash of one
 # of the machines will be properly noticed.  However, this means
-# that connections will die if the route is down temporarily, and some 
-# people find it annoying. On the other hand, if TCP keepalives are not 
-# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# that connections will die if the route is down temporarily, and some
+# people find it annoying. On the other hand, if TCP keepalives are not
+# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
 # The default is “yes” (to send TCP keepalive messages), and the server 
@@ -463,4 +469,36 @@ Match group sftp_users
   ChrootDirectory %h
   ForceCommand internal-sftp
 
+Match all
+
 {% endif -%}
+
+{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %}
+
+#-----------------------------
+# Match User for PasswordAuthentication
+#-----------------------------
+{% for item in sshd_pasword_auth_user %}
+
+Match User {{ item }}
+  PasswordAuthentication yes
+
+Match all
+
+{% endfor %}
+{% endif %}
+
+{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %}
+
+#-----------------------------
+# Match IP Address for PasswordAuthentication
+#-----------------------------
+{% for item in sshd_pasword_auth_ip %}
+
+Match Address {{ item }}
+  PasswordAuthentication yes
+
+Match all
+
+{% endfor %}
+{% endif %}
diff --git a/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2 b/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
index 7970d0c..83df11f 100644
--- a/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
@@ -252,10 +252,10 @@ AcceptEnv LANG LC_*
 # By default no subsystems are defined.
 Subsystem sftp /usr/lib/openssh/sftp-server
 
-# Specifies whether sshd(8) should look up the remote host name and check 
-# that the resolved host name for the remote IP address maps back to the 
+# Specifies whether sshd(8) should look up the remote host name and check
+# that the resolved host name for the remote IP address maps back to the
 # very same IP address.
-# The default is “yes”.
+# The default is 'yes'.
 UseDNS {{ sshd_use_dns }}
 
 # Specifies whether X11 forwarding is permitted. The argument must be 
@@ -268,12 +268,12 @@ UseDNS {{ sshd_use_dns }}
 # The default is 10.
 X11DisplayOffset 10
 
-# Specifies whether the system should send TCP keepalive messages to the 
-# other side. If they are sent, death of the connection or crash of one 
+# Specifies whether the system should send TCP keepalive messages to the
+# other side. If they are sent, death of the connection or crash of one
 # of the machines will be properly noticed.  However, this means
-# that connections will die if the route is down temporarily, and some 
-# people find it annoying. On the other hand, if TCP keepalives are not 
-# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# that connections will die if the route is down temporarily, and some
+# people find it annoying. On the other hand, if TCP keepalives are not
+# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
 # The default is “yes” (to send TCP keepalive messages), and the server