update..

2024-10-19 10:18:05 +02:00 · 2024-10-19 10:18:05 +02:00 · c771ba2095
commit c771ba2095
parent 134eb18465
6 changed files with 319 additions and 74 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -2082,6 +2082,8 @@ sshd_pubkey_authentication: !!str "yes"
 sshd_password_authentication: !!str "no"
 sshd_kbd_interactive_authentication:
 sshd_use_pam: !!str "yes"
 #sshd_allowed_users:
@ -2095,6 +2097,7 @@ sshd_use_dns: !!str "no"
 sshd_gateway_ports: !!str "no"
 sshd_required_rsa_size: 4096
 # sshd_pubkey_accepted_algorithms:
 #
@ -2129,43 +2132,57 @@ sshd_gateway_ports: !!str "no"
 #
 # Example:
 #    sshd_kexalgorithms:
-#      - curve25519-sha256@libssh.org
+#      - ntrup761x25519-sha512@openssh.com
 #      - curve25519-sha256,curve25519-sha256@libssh.org
 #      - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 #      - diffie-hellman-group-exchange-sha256
-#      - diffie-hellman-group14-sha1
+#      - diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
 #      - diffie-hellman-group14-sha256
 #
 #sshd_kexalgorithms: {}
-sshd_hostkeyalgorithms:
+# sshd__ciphers
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # sshd_kexalgorithms
 #
 # Example:
 #    sshd_ciphers:
 #      - chacha20-poly1305@openssh.com
-#      - aes256-gcm@openssh.com
+#      - aes128-ctr
 #      - aes192-ctr
 #      - aes256-ctr
-
+#      - aes128-gcm@openssh.com
 #      - aes256-gcm@openssh.com
 #sshd_ciphers: {}
 sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr
 # sshd_macs
 #
 # Example:
 #    sshd_macs:
 #      - umac-64-etm@openssh.com,umac-128-etm@openssh.com
 #      - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
 #      - hmac-sha1-etm@openssh.com
 #      - umac-64@openssh.com,umac-128@openssh.com
 #      - hmac-sha2-256,hmac-sha2-512,hmac-sha1
 #sshd_macs: {}
-sshd_macs:
+
-  - hmac-sha2-256-etm@openssh.com
+# sshd_hostkeyalgorithms
-  - hmac-sha2-512-etm@openssh.com
+#
-  - umac-128-etm@openssh.com
+# Example:
 #      - ssh-ed25519-cert-v01@openssh.com
 #      - ecdsa-sha2-nistp256-cert-v01@openssh.com
 #      - ecdsa-sha2-nistp384-cert-v01@openssh.com
 #      - ecdsa-sha2-nistp521-cert-v01@openssh.com
 #      - sk-ssh-ed25519-cert-v01@openssh.com
 #      - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
 #      - rsa-sha2-512-cert-v01@openssh.com
 #      - rsa-sha2-256-cert-v01@openssh.com
 #      - ssh-ed25519
 #      - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 #      - sk-ssh-ed25519@openssh.com
 #      - sk-ecdsa-sha2-nistp256@openssh.com
 #      - rsa-sha2-512
 #      - rsa-sha2-256
 #
 #sshd_hostkeyalgorithms: {}
 # This users are allowed to use password authentification
 #
@ -2222,6 +2239,9 @@ sudoers_file_user_back_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/rsync'
  - 'ALL=(root) NOPASSWD: /usr/bin/find'
  - 'ALL=(root) NOPASSWD: /usr/bin/realpath'
  - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup.sh'
  - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup-nc.sh'
 sudoers_file_user_back_postgres_privileges:
  - 'ALL=(postgres) NOPASSWD: /usr/bin/psql'
--- a/host_vars/cp-flr.oopen.de.yml
+++ b/host_vars/cp-flr.oopen.de.yml
@ -0,0 +1,203 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_permit_root_login: !!str "prohibit-password"
 # ---
 # vars used by apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: cryptpad
    user_id: 2010
    group_id: 2010
    group: cryptpad
    home: /var/www/cryptpad
    password: $y$j9T$TUSURhYNq5B1eWlxis.xy.$YfCpyp24dmaZwiIEMaJvX7u3P.MEdAyz8YXMusM4lu7
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_privileges:
  - name: back
    entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
--- a/host_vars/o26.oopen.de.yml
+++ b/host_vars/o26.oopen.de.yml
@ -359,6 +359,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Renote Borg Backup"
    minute: '04'
    hour: '00'
    job: /root/crontab/backup-rborg/remote-borg-backup.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@ -380,13 +385,13 @@ cron_user_entries:
    job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
  - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
-    minute: '06'
+    minute: '16'
    hour: '00'
    weekday: '1-6'
    job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
  - name: "On sunday morning also determin diskspace usage"
-    minute: '06'
+    minute: '16'
    hour: '00'
    weekday: 7
    job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
--- a/host_vars/o40.oopen.de.yml
+++ b/host_vars/o40.oopen.de.yml
@ -242,9 +242,9 @@ cron_user_special_time_entries:
    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
    insertafter: PATH
-  - name: "Check if postfix mailservice is running. Restart service if needed."
+  - name: "Check if  ntpsec service is running. Restart service if needed."
    special_time: reboot
-    job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
+    job: "sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
    insertafter: PATH
 #  - name: "Check if Check if all autostart LX-Container are running."
--- a/host_vars/o42.oopen.de.yml
+++ b/host_vars/o42.oopen.de.yml
@ -32,7 +32,7 @@ network_interfaces:
    family: inet
    method: static
-    hwaddress: 
+    hwaddress: 2c:f0:5d:0d:df:01
    description:
    address: 95.217.194.43
    netmask: 26
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -10,11 +10,11 @@ Port {{ item }}
 {% endfor %}
 # Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
-# 
+#
 #    ListenAddress host|IPv4_addr|IPv6_addr
 #    ListenAddress host|IPv4_addr:port
 #    ListenAddress [host|IPv6_addr]:port
-# 
+#
 # If port is not specified, sshd will listen on the address and all Port options specified.  The default
 # is to listen on all local addresses.  Multiple ListenAddress options are permitted.
 #
@ -30,7 +30,7 @@ ListenAddress {{ item }}
 {% endif %}
 # Specifies the protocol versions sshd(8) supports.
-# The possible values are '1' , `2' and '1,2'.
+# The possible values are '1' , '2' and '1,2'.
 # The default is '2'.
 Protocol 2
@ -49,7 +49,7 @@ HostKey {{ item }}
 #ServerKeyBits 768
 # Specifies the maximum number of concurrent unauthenticated connections
-# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
+# to the SSH daemon. See sshd_config(5) for specifiing the three colon
 # separated values.
 # The default is 10.
 #MaxStartups 10:30:100
@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
 # The server disconnects after this time if the user has not
 # successfully logged in.
 # The default is 120 seconds.
-LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
+LoginGraceTime {{ sshd_login_grace_time | default('120') }}
 # Specifies whether root can log in using ssh(1).
 # The default is "yes".
@ -97,15 +97,15 @@ LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
 #PermitRootLogin yes
 PermitRootLogin {{ sshd_permit_root_login }}
-# Specifies whether sshd(8) should check file modes and ownership of the 
+# Specifies whether sshd(8) should check file modes and ownership of the
-# user's files and home directory before accepting login.  This is normally 
+# user's files and home directory before accepting login.  This is normally
-# desirable because novices sometimes accidentally leave their directory or 
+# desirable because novices sometimes accidentally leave their directory or
-# files world-writable. Note that this does not apply to ChrootDirectory, 
+# files world-writable. Note that this does not apply to ChrootDirectory,
-# whose permissions and ownership are checked unconditionally.  
+# whose permissions and ownership are checked unconditionally.
 # The default is “yes”.
 StrictModes yes
-# Specifies whether pure RSA authentication is allowed. This option 
+# Specifies whether pure RSA authentication is allowed. This option
 # applies to protocol version 1 only.
 # The default is “yes”.
 #
@ -114,20 +114,20 @@ StrictModes yes
 #
 #RSAAuthentication yes
-# Specifies whether public key authentication is allowed. Note that this 
+# Specifies whether public key authentication is allowed. Note that this
 # option applies to protocol version 2 only.
 # The default is “yes”.
 PubkeyAuthentication {{ sshd_pubkey_authentication }}
-# Specifies the file that contains the public keys that can be used for 
+# Specifies the file that contains the public keys that can be used for
-# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
+# user authentication.  The format is described in the AUTHORIZED_KEYS FILE
 # FORMAT section of sshd(8).
 # AuthorizedKeysFile may contain tokens of the form %T which are substituted
-# during connection setup. The following tokens are defined: %% is replaced 
+# during connection setup. The following tokens are defined: %% is replaced
-# by a literal '%', %h is replaced by the home directory of the user being 
+# by a literal '%', %h is replaced by the home directory of the user being
-# authenticated, and %u is replaced by the username of that user. After 
+# authenticated, and %u is replaced by the username of that user. After
-# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
+# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
-# to the user's home directory. Multiple files may be listed, separated by 
+# to the user's home directory. Multiple files may be listed, separated by
 # whitespace.
 # The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
@ -139,9 +139,9 @@ AuthorizedKeysFile {{ sshd_authorized_keys_file }}
 #PasswordAuthentication yes
 PasswordAuthentication {{ sshd_password_authentication }}
-# When password authentication is allowed, it specifies whether the 
+# When password authentication is allowed, it specifies whether the
 # server allows login to accounts with empty password strings.
-# The default is “no”.
+# The default is 'no'.
 PermitEmptyPasswords no
 {% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
@ -150,7 +150,7 @@ PermitEmptyPasswords no
 KbdInteractiveAuthentication no
 {% else %}
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
-# The default is “yes”.
+# The default is 'yes'.
 ChallengeResponseAuthentication no
 {% endif %}
@ -166,15 +166,15 @@ IgnoreRhosts yes
 # similar for protocol version 2
 HostbasedAuthentication no
-# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
+# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
-# during RhostsRSAAuthentication or HostbasedAuthentication. 
+# during RhostsRSAAuthentication or HostbasedAuthentication.
 # The default is “no”.
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 # If specified, login is allowed only for user names that match one of
 # the patterns.
-# The allow/deny directives are processed in the following order: DenyUsers, 
+# The allow/deny directives are processed in the following order: DenyUsers,
 # AllowUsers, DenyGroups, and finally AllowGroups.
 # By default, login is allowed for all users.
 {% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
@ -195,10 +195,10 @@ AllowUsers {{ fact_sshd_allowed_users }}
 UsePAM {{ sshd_use_pam }}
 # Specifies whether login(1) is used for interactive login sessions.
-# Note that login(1) is never used for remote command execution. 
+# Note that login(1) is never used for remote command execution.
-# Note also, that if this is enabled, X11Forwarding will be disabled 
+# Note also, that if this is enabled, X11Forwarding will be disabled
 # because login(1) does not know how to handle xauth(1) cookies. If
-# UsePrivilegeSeparation is specified, it will be disabled after 
+# UsePrivilegeSeparation is specified, it will be disabled after
 # authentication.
 # The default is “no”.
 #UseLogin no
@ -207,6 +207,24 @@ UsePAM {{ sshd_use_pam }}
 #-----------------------------
 # Cryptography
 #-----------------------------
 {% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %}
 # RequiredRSASize
 #
 # Specifies the minimum RSA key size (in bits) that sshd(8) will accept.  User and host-based
 # authentication keys smaller than this limit will be refused.
 #
 # The default is 1024 bits.
 #
 # Note that this limit may only be raised from the default.
 #
 {% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %}
 RequiredRSASize {{ sshd_required_rsa_size }}
 {% else %}
 # RequiredRSASize 1024
 {% endif %}
 {% endif %}
 {% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
 # PubkeyAcceptedAlgorithms
 #
@ -231,14 +249,12 @@ UsePAM {{ sshd_use_pam }}
 #      sk-ecdsa-sha2-nistp256@openssh.com,
 #      rsa-sha2-512,rsa-sha2-256
 #
-
+# The list of available signature algorithms may also be obtained using
-{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
+#     "ssh -Q PubkeyAcceptedAlgorithms"
 #
 PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
 {% else %}
 #PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
 {% endif %}
 # KexAlgorithms
 #
 # Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
@ -262,6 +278,7 @@ PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
 #
 # The default is:
 #
 #       sntrup761x25519-sha512@openssh.com,
 #       curve25519-sha256,curve25519-sha256@libssh.org,
 #       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 #       diffie-hellman-group-exchange-sha256,
@ -377,9 +394,9 @@ HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
 # Logging
 #-----------------------------
-# Gives the facility code that is used when logging messages from sshd(8).  
+# Gives the facility code that is used when logging messages from sshd(8).
-# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
+# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
+# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 # The default is AUTH.
 SyslogFacility AUTH
@ -403,9 +420,9 @@ DebianBanner no
 # By default, no banner is displayed.
 #Banner /etc/issue.net
-# Specifies whether sshd(8) should print /etc/motd when a user logs in 
+# Specifies whether sshd(8) should print /etc/motd when a user logs in
-# interactively. (On some systems it is also printed by the shell, 
+# interactively. (On some systems it is also printed by the shell,
-# /etc/profile, or equivalent.)  
+# /etc/profile, or equivalent.)
 # The default is “yes”.
 PrintMotd {{ sshd_print_motd }}
@ -432,12 +449,12 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # The default is 'yes'.
 UseDNS {{ sshd_use_dns }}
-# Specifies whether X11 forwarding is permitted. The argument must be 
+# Specifies whether X11 forwarding is permitted. The argument must be
 # “yes” or “no”. See sshd_config(5) for further expalnation
 # The default is “no”.
 #X11Forwarding yes
-# Specifies the first display number available for sshd(8)'s X11 
+# Specifies the first display number available for sshd(8)'s X11
 # forwarding. This prevents sshd from interfering with real X11 servers.
 # The default is 10.
 X11DisplayOffset 10
@ -450,12 +467,12 @@ X11DisplayOffset 10
 # sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
-# The default is “yes” (to send TCP keepalive messages), and the server 
+# The default is “yes” (to send TCP keepalive messages), and the server
-# will notice if the network goes down or the client host crashes. This 
+# will notice if the network goes down or the client host crashes. This
 # avoids infinitely hanging sessions.
 TCPKeepAlive yes
-#Specifies whether sshd(8) should print the date and time of the last 
+#Specifies whether sshd(8) should print the date and time of the last
 # user login when a user logs in interactively.
 # The default is “yes”.
 PrintLastLog yes