# This configuration has been automatically generated
# by YunoHost

Protocol 2
Port 22

{% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
ListenAddress 0.0.0.0

{% for key in ssh_keys.split() %}
HostKey {{ key }}{% endfor %}

# ##############################################
# Stuff recommended by Mozilla "modern" compat'
# https://infosec.mozilla.org/guidelines/openssh
# ##############################################

{% if compatibility == "intermediate" %}
  KexAlgorithms diffie-hellman-group-exchange-sha256
  Ciphers aes256-ctr,aes192-ctr,aes128-ctr
  MACs hmac-sha2-512,hmac-sha2-256
{% else %}
  # By default use "modern" Mozilla configuration
  # Keys, ciphers and MACS
  KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
{% endif %}

# Use kernel sandbox mechanisms where possible in unprivileged processes
UsePrivilegeSeparation sandbox

# LogLevel VERBOSE logs user's key fingerprint on login.
# Needed to have a clear audit track of which key was using to log in.
SyslogFacility AUTH
LogLevel VERBOSE

# #######################
# Authentication settings
# #######################

# Comment from Mozilla about the motivation behind disabling root login
#
# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
#
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
# Additionally, only tools such as systemd and auditd record the process session id.
# On other OSes, the user session id is not necessarily recorded at all kernel-side.
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.

LoginGraceTime 120
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# Change to no to disable tunnelled clear text passwords
# (i.e. everybody will need to authenticate using ssh keys)
#PasswordAuthentication yes

# Post-login stuff
Banner /etc/issue.net
PrintMotd no
PrintLastLog yes
ClientAliveInterval 60
AcceptEnv LANG LC_*

# SFTP stuff
Subsystem sftp internal-sftp
Match User sftpusers
        ForceCommand internal-sftp
        ChrootDirectory /home/%u
        AllowTcpForwarding no
        GatewayPorts no
        X11Forwarding no

# root login is allowed on local networks
# It's meant to be a backup solution in case LDAP is down and
# user admin can't be used...
# If the server is a VPS, it's expected that the owner of the
# server has access to a web console through which to log in.
Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
        PermitRootLogin yes