and openssh server (sshd) configuration.

hardened configuration from https://github.com/dev-sec/ansible-ssh-hardening/ and https://gitlab.com/nodiscc/ansible-xsrv-common/

config/includes.chroot/etc/ssh/sshd_config

@@ -0,0 +1,171 @@
+# This is the ssh server system-wide configuration file.
+# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
+#
+# Created for OpenSSH v5.9
+
+# Basic configuration
+# ===================
+
+# Disable root login
+PermitRootLogin no
+
+# Define which port sshd should listen to.
+Port 22
+
+# Address family should always be limited to the active network configuration.
+AddressFamily inet
+
+# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
+ListenAddress 0.0.0.0
+
+# List HostKeys here.
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Security configuration
+# ======================
+
+# Set the protocol version to 2 for security reasons. Disables legacy support.
+Protocol 2
+
+# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
+StrictModes yes
+
+# Logging, obsoletes QuietMode and FascistLogging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Cryptography
+# ------------
+
+# **Ciphers**
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+# **Hash algorithms**
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+
+# **Key Exchange Algorithms**
+KexAlgorithms diffie-hellman-group-exchange-sha256
+
+# Authentication
+# --------------
+
+# Don't process environment variables passed by the client
+PermitUserEnvironment no
+LoginGraceTime 30s
+# Only process the client's locale environment variables
+AcceptEnv LANG LC_*
+
+# Specifies  the  maximum  number  of authentication attempts permitted per connection.
+# Once the number of failures reaches half this value, additional failures are logged.
+# Causes 'Too Many Authentication Failures' error when set to a low value and the user tries several keys.
+MaxAuthTries 5
+MaxSessions 10
+MaxStartups 10:30:100
+
+# Enable public key authentication
+PubkeyAuthentication yes
+
+# Reject keys that are explicitly blacklisted
+RevokedKeys /etc/ssh/revoked_keys
+
+# Never use host-based authentication. It can be exploited.
+IgnoreRhosts yes
+IgnoreUserKnownHosts yes
+HostbasedAuthentication no
+
+# Enable PAM to enforce system wide rules
+UsePAM no
+
+# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+
+# Only enable Kerberos authentication if it is configured.
+KerberosAuthentication no
+KerberosOrLocalPasswd no
+KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# Only enable GSSAPI authentication if it is configured.
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
+
+# Network
+# -------
+
+# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
+TCPKeepAlive no
+
+# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
+ClientAliveInterval 600
+ClientAliveCountMax 3
+
+# Disable tunneling
+PermitTunnel no
+
+# Specifies whether TCP forwarding is permitted.
+# Denying it provides no real advantage unless shell access is also denied
+AllowTcpForwarding no
+
+# Disable agent forwarding, since local agent could be accessed through forwarded connection.
+# no real advantage without denied shell access
+AllowAgentForwarding no
+
+# Do not allow remote port forwardings to bind to non-loopback addresses.
+GatewayPorts no
+
+# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
+X11Forwarding no
+X11UseLocalhost yes
+
+# Only allow login for users from ssh/sftponly groups
+AllowGroups ssh sftponly
+
+# Misc. configuration
+# ===================
+
+# Disable motd
+PrintMotd no
+
+# Disable printing last connections on login
+PrintLastLog no
+
+# file to send to the remote user before authentication
+Banner none
+
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+
+# Enable compression
+Compression yes
+
+# Use reverse DNS lookups to validate authorized clients
+# This allows using hostnames in auhtorized_keys instead of IP addresses
+# The default is no
+#UseDNS no
+
+# print /etc/motd when a user logs in interactively
+PrintMotd yes
+
+# print the date and time of the last user login when a user logs in interactively
+PrintLastLog yes
+
+# SFTP configuration
+Subsystem sftp internal-sftp -l {{ ssh_sftp_loglevel }} -f LOCAL6
+
+# User/group-sepcific configuration
+# These lines must appear at the *end* of sshd_config
+#Match Group sftponly
+# Restrict members of the 'sftponly' group to SFTP subsystem,
+#ForceCommand internal-sftp -l INFO -f LOCAL6
+# Chroot members of the 'sftponly' group to their home directory
+#ChrootDirectory %h
+#AllowTcpForwarding no
+#AllowAgentForwarding no
+#GatewayPorts no
+#X11Forwarding no
+