# *** ---------------------------------------------- ***
# ***                                                ***
# {{ ansible_managed }}
# ***                                                ***
# *** ---------------------------------------------- ***

#-----------------------------
# Daemon
#-----------------------------

# What ports, IPs and protocols we listen for
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}

# Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
# 
#    ListenAddress host|IPv4_addr|IPv6_addr
#    ListenAddress host|IPv4_addr:port
#    ListenAddress [host|IPv6_addr]:port
# 
# If port is not specified, sshd will listen on the address and all Port options specified.  The default
# is to listen on all local addresses.  Multiple ListenAddress options are permitted.
#
#    ListenAddress ::
#    ListenAddress 0.0.0.0
#    ListenAddress 159.69.72.24
#    ListenAddress 2a01:4f8:231:171f::2
#
{% if (sshd_listen_address is defined) and sshd_listen_address %}
{% for item in sshd_listen_address %}
ListenAddress {{ item }}
{% endfor %}
{% endif %}

# Specifies the protocol versions sshd(8) supports.
# The possible values are ‘1’ , `2' and ‘1,2’.
# The default is ‘2’.
Protocol 2

# HostKeys for protocol version 2
{% for item in sshd_host_keys %}
HostKey {{ item }}
{% endfor %}

# Lifetime and size of ephemeral version 1 server key
#
# Note:
#    Deprecated option KeyRegenerationInterval
#    Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
# separated values.
# The default is 10.
#MaxStartups 3
MaxStartups 10:30:100

# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries 3

# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions 10


#-----------------------------
# Authentication
#-----------------------------

# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
#
# Note: (Release 7.5)
#    Deprecated option UsePrivilegeSeparation
#    Privilege separation has been on by default for almost 15 years
#    sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
{% endif %}

# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120

# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}

# Specifies whether sshd(8) should check file modes and ownership of the 
# user's files and home directory before accepting login.  This is normally 
# desirable because novices sometimes accidentally leave their directory or 
# files world-writable. Note that this does not apply to ChrootDirectory, 
# whose permissions and ownership are checked unconditionally.  
# The default is “yes”.
StrictModes yes

# Specifies whether pure RSA authentication is allowed. This option 
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
#    Deprecated option RSAAuthentication
#
#RSAAuthentication yes

# Specifies whether public key authentication is allowed. Note that this 
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}

# Specifies the file that contains the public keys that can be used for 
# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced 
# by a literal '%', %h is replaced by the home directory of the user being 
# authenticated, and %u is replaced by the username of that user. After 
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
# to the user's home directory. Multiple files may be listed, separated by 
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile	%h/.ssh/authorized_keys
AuthorizedKeysFile {{ sshd_authorized_keys_file }}

# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}

# When password authentication is allowed, it specifies whether the 
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no

{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
{% else %}
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
{% endif %}

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
#    Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no

# similar for protocol version 2
HostbasedAuthentication no

# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
# during RhostsRSAAuthentication or HostbasedAuthentication. 
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers, 
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}

# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution. 
# Note also, that if this is enabled, X11Forwarding will be disabled 
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after 
# authentication.
# The default is “no”.
#UseLogin no


#-----------------------------
# Cryptography
#-----------------------------

# KexAlgorithms
#
# Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐
# pended to the default set instead of replacing them.  If the specified value begins with a ‘-’ charac‐
# ter, then the specified methods (including wildcards) will be removed from the default set instead of
# replacing them.  The supported algorithms are:
# 
#       curve25519-sha256
#       curve25519-sha256@libssh.org
#       diffie-hellman-group1-sha1
#       diffie-hellman-group14-sha1
#       diffie-hellman-group14-sha256
#       diffie-hellman-group16-sha512
#       diffie-hellman-group18-sha512
#       diffie-hellman-group-exchange-sha1
#       diffie-hellman-group-exchange-sha256
#       ecdh-sha2-nistp256
#       ecdh-sha2-nistp384
#       ecdh-sha2-nistp521
# 
# The default is:
# 
#       curve25519-sha256,curve25519-sha256@libssh.org,
#       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
#       diffie-hellman-group-exchange-sha256,
#       diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
#       diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
# 
# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
#
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
{% endif %}

# Ciphers
#
# Specifies the ciphers allowed.  Multiple ciphers must be comma-separated.  If the specified value begins
# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
# ing them.  If the specified value begins with a ‘-’ character, then the specified ciphers (including
# wildcards) will be removed from the default set instead of replacing them.
# 
# The supported ciphers are:
# 
#       3des-cbc
#       aes128-cbc
#       aes192-cbc
#       aes256-cbc
#       aes128-ctr
#       aes192-ctr
#       aes256-ctr
#       aes128-gcm@openssh.com
#       aes256-gcm@openssh.com
#       chacha20-poly1305@openssh.com
# 
# The default is:
# 
#       chacha20-poly1305@openssh.com,
#       aes128-ctr,aes192-ctr,aes256-ctr,
#       aes128-gcm@openssh.com,aes256-gcm@openssh.com
# 
# The list of available ciphers may also be obtained using "ssh -Q cipher".
# 
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}

# MACs
#
# Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used for
# data integrity protection.  Multiple algorithms must be comma-separated.  If the specified value begins
# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
# placing them.  If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
# cluding wildcards) will be removed from the default set instead of replacing them.
# 
# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac).  These are
# considered safer and their use recommended.  The supported MACs are:
# 
#       hmac-md5
#       hmac-md5-96
#       hmac-sha1
#       hmac-sha1-96
#       hmac-sha2-256
#       hmac-sha2-512
#       umac-64@openssh.com
#       umac-128@openssh.com
#       hmac-md5-etm@openssh.com
#       hmac-md5-96-etm@openssh.com
#       hmac-sha1-etm@openssh.com
#       hmac-sha1-96-etm@openssh.com
#       hmac-sha2-256-etm@openssh.com
#       hmac-sha2-512-etm@openssh.com
#       umac-64-etm@openssh.com
#       umac-128-etm@openssh.com
# 
# The default is:
# 
#       umac-64-etm@openssh.com,umac-128-etm@openssh.com,
#       hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
#       hmac-sha1-etm@openssh.com,
#       umac-64@openssh.com,umac-128@openssh.com,
#       hmac-sha2-256,hmac-sha2-512,hmac-sha1
# 
# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
# 
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
{% endif %}

# HostKeyAlgorithms
#
# Specifies the host key algorithms that the server offers.  The default for this option is:
# 
#    ecdsa-sha2-nistp256-cert-v01@openssh.com,
#    ecdsa-sha2-nistp384-cert-v01@openssh.com,
#    ecdsa-sha2-nistp521-cert-v01@openssh.com,
#    ssh-ed25519-cert-v01@openssh.com,
#    rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
#    ssh-rsa-cert-v01@openssh.com,
#    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
#    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
# 
# The list of available key types may also be obtained using "ssh -Q key".
{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
{% endif %}


#-----------------------------
# Logging
#-----------------------------

# Gives the facility code that is used when logging messages from sshd(8).  
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
# The default is AUTH.
SyslogFacility AUTH

# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO


#-----------------------------
# Behavior
#-----------------------------

# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no

# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net

# Specifies whether sshd(8) should print /etc/motd when a user logs in 
# interactively. (On some systems it is also printed by the shell, 
# /etc/profile, or equivalent.)  
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}

# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*

# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
{% if ansible_facts['distribution_major_version'] | int >= 11 %}
{% if sshd_config_sftp.found|int == 0 %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% else %}
#Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}

# Specifies whether sshd(8) should look up the remote host name and check 
# that the resolved host name for the remote IP address maps back to the 
# very same IP address.
# The default is “yes”.
UseDNS {{ sshd_use_dns }}

# Specifies whether X11 forwarding is permitted. The argument must be 
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes

# Specifies the first display number available for sshd(8)'s X11 
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10

# Specifies whether the system should send TCP keepalive messages to the 
# other side. If they are sent, death of the connection or crash of one 
# of the machines will be properly noticed.  However, this means
# that connections will die if the route is down temporarily, and some 
# people find it annoying. On the other hand, if TCP keepalives are not 
# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server 
# will notice if the network goes down or the client host crashes. This 
# avoids infinitely hanging sessions.
TCPKeepAlive yes

#Specifies whether sshd(8) should print the date and time of the last 
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes

# Specifies whether remote hosts are allowed to connect to ports forwarded for the client. 
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents 
# other remote hosts from connecting to forwarded ports. 
#
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to 
# bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be 
# no to force remote port forwardings to be available to the local host only, yes to force 
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the 
# client to select the address to which the forwarding is bound.  The default is no.
GatewayPorts {{ sshd_gateway_ports }}


#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


#-----------------------------
# GSSAPI options
#-----------------------------

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

{% if ( create_sftp_group is defined) and create_sftp_group %}

#-----------------------------
# Match Blocks
#-----------------------------

Match group sftp_users
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory %h
  ForceCommand internal-sftp

Match all

{% endif -%}

{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %}

#-----------------------------
# Match User for PasswordAuthentication
#-----------------------------
{% for item in sshd_pasword_auth_user %}

Match User {{ item }}
  PasswordAuthentication yes

Match all

{% endfor %}
{% endif %}

{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %}

#-----------------------------
# Match IP Address for PasswordAuthentication
#-----------------------------
{% for item in sshd_pasword_auth_ip %}

Match Address {{ item }}
  PasswordAuthentication yes

Match all

{% endfor %}
{% endif %}