# true if IPv6 is needed
network_ipv6_enable: false              # sshd + ssh

# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
ssh_client_hardening: true          # ssh
ssh_server_hardening: true          # sshd

# true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
ssh_client_cbc_required: false          # ssh
ssh_server_cbc_required: false          # sshd

# true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
ssh_client_weak_hmac: false             # ssh
ssh_server_weak_hmac: false             # sshd

# true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
ssh_client_weak_kex: false              # ssh
ssh_server_weak_kex: false              # sshd

# If true, password login is allowed. For sshd, it is always set to no password login.
ssh_client_password_login: false          # ssh

# ports on which ssh-server should listen
ssh_server_ports: ['22']      # sshd

# port to which ssh-client should connect
ssh_client_port: '22'         # ssh

# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
ssh_listen_to: ['0.0.0.0']    # sshd

# Host keys to look for when starting sshd.
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']  # sshd

# Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2

ssh_client_alive_interval: 600          # sshd
ssh_client_alive_count: 3               # sshd

# Hosts with custom options.            # ssh
# Example:
# ssh_remote_hosts:
#   - names: ['example.com', 'example2.com']
#     options: ['Port 2222', 'ForwardAgent yes']
#   - names: ['example3.com']
#     options: ['StrictHostKeyChecking no']
ssh_remote_hosts: []

# false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
ssh_allow_root_with_key: false          # sshd

# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: false         # sshd

# false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
ssh_allow_agent_forwarding: false       # sshd

# false to disable pam authentication.
ssh_use_pam: false      # sshd

# if specified, login is disallowed for user names that match one of the patterns.
ssh_deny_users: ''      # sshd

# if specified, login is allowed only for user names that match one of the patterns.
ssh_allow_users: ''      # sshd

# if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
ssh_deny_groups: ''      # sshd

# if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
ssh_allow_groups: ''      # sshd

# false to disable printing of the MOTD
ssh_print_motd: false      # sshd

# false to disable display of last login information
ssh_print_last_log: false    # sshd

# false to disable serving /etc/ssh/banner.txt before authentication is allowed
ssh_banner: false # sshd

# false to disable distribution version leakage during initial protocol handshake
ssh_print_debian_banner: false # sshd (Debian OS family only)

# true to enable sftp configuration
sftp_enabled: false

# change default sftp chroot location
sftp_chroot_dir: /home/%u

# enable experimental client roaming
ssh_client_roaming: false


ssh_ps53: 'yes'
ssh_ps59: 'sandbox'

ssh_macs_53_default:
  - hmac-ripemd160
  - hmac-sha1

ssh_macs_59_default:
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

ssh_macs_59_weak: "{{ ssh_macs_59_default + ['hmac-sha1'] }}"

ssh_macs_66_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - hmac-ripemd160-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

ssh_macs_66_weak: "{{ ssh_macs_66_default + ['hmac-sha1'] }}"

ssh_ciphers_53_default:
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_ciphers_53_weak: "{{ ssh_ciphers_53_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"

ssh_ciphers_66_default:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_ciphers_66_weak: "{{ ssh_ciphers_66_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"

ssh_kex_59_default:
  - diffie-hellman-group-exchange-sha256

ssh_kex_59_weak: "{{ ssh_kex_59_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"

ssh_kex_66_default:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"

# directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies'

sshd_moduli_minimum: 2048

# disable ChallengeResponseAuthentication
ssh_challengeresponseauthentication: false