# sshd_config — Managed by Ansible (INSIGHT-Infra)
Port {{ ssh_port | default(22) }}
AddressFamily inet
ListenAddress 0.0.0.0

# Authentication
PermitRootLogin {{ ssh_permit_root_login | default('no') }}
PasswordAuthentication {{ ssh_password_authentication | default('no') }}
PubkeyAuthentication {{ ssh_pubkey_authentication | default('yes') }}
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes

# Security
X11Forwarding no
AllowTcpForwarding no
PermitEmptyPasswords no
MaxAuthTries 3
LoginGraceTime 30

# Session
ClientAliveInterval 300
ClientAliveCountMax 2

# Subsystem
Subsystem sftp /usr/lib/openssh/sftp-server