ssh config: indent, misc readabilty improvements

data/templates/ssh/sshd_config

@@ -78,18 +78,17 @@ Subsystem sftp internal-sftp
 
 # Apply following instructions to user with sftp perm only
 Match Group sftp.main,!ssh.main
-ForceCommand internal-sftp
+    ForceCommand internal-sftp
-# We currently are not able to restrict /home/USER
+    # We can't restrict to /home/%u because the chroot base must be owned by root
-# So we chroot only on /home
+    # So we chroot only on /home
-# See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
+    # See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
-#ChrootDirectory /home/%u
+    ChrootDirectory /home
-ChrootDirectory /home
+    # Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled)
-# Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled)
+    AllowTcpForwarding no
-AllowTcpForwarding no
+    AllowStreamLocalForwarding no
-AllowStreamLocalForwarding no
+    PermitTunnel no
-PermitTunnel no
+    # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
-# Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
+    PermitUserRC no
-PermitUserRC no
 
 
 # root login is allowed on local networks
@@ -98,4 +97,4 @@ PermitUserRC no
 # If the server is a VPS, it's expected that the owner of the
 # server has access to a web console through which to log in.
 Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
-        PermitRootLogin yes
+    PermitRootLogin yes