Protocol 2

%{if !use_socket_activation}
AddressFamily ${address_family}
%{for listen_address in listen_addresses}
ListenAddress ${listen_address}
%{endfor}
Port ${listen_port}
%{if listen_unix}
ListenAddress unix:/var/run/sshd/sock
%{endif}
%{endif}

StrictModes yes
UseDNS no
Subsystem sftp internal-sftp

%{if allow_users != ""}
AllowUsers ${allow_users}
%{endif}
%{if allow_groups != ""}
AllowGroups ${allow_groups}
%{endif}

AllowAgentForwarding %{if sftp_only}no%{else}yes%{endif}  # According to documentation: Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
AllowTcpForwarding %{if allow_tcp_forwarding}yes%{else}no%{endif}
GatewayPorts no
PermitTunnel no
X11Forwarding no

AuthenticationMethods publickey
PubkeyAuthentication yes
KbdInteractiveAuthentication no
# KerberosAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
PermitUserRC no

CASignatureAlgorithms ecdsa-sha2-nistp384
Ciphers ${ciphers_algos}
Macs ${macs_algos}
KexAlgorithms ${key_exchange_algos}
HostKeyAlgorithms ${host_key_algorithms}
PubkeyAcceptedAlgorithms ${pub_key_accepted_algorithms}
RekeyLimit ${rekey_limit.size} ${rekey_limit.time}
%{for host_key in host_keys~}
HostKey ${host_key}
%{endfor}
AuthorizedKeysCommand = /usr/libexec/ssh-key-dir %u
AuthorizedKeysCommandUser root

ClientAliveCountMax ${client_alive_count_max}
ClientAliveInterval ${client_alive_interval}
MaxAuthTries ${max_auth_tries}
MaxSessions ${max_sessions}
MaxStartups ${max_startups}

%{for chrooted_user in chrooted_users}
Match User ${chrooted_user.username}
%{if sftp_only}
ForceCommand internal-sftp
%{endif}
ChrootDirectory ${chrooted_user.chroot}
%{endfor}

%{if listen_unix}
Match LocalAddress /var/run/sshd/sock
PermitRootLogin yes
%{endif}

Match all