# Managed by node-hardening skill
# Backup of previous config stored in outputs/backups

Port {{SSH_PORT}}
Protocol 2

PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no

# Keep PAM enabled for session setups (Ubuntu default)
UsePAM yes

X11Forwarding no
AllowAgentForwarding yes
AllowTcpForwarding yes

ClientAliveInterval 300
ClientAliveCountMax 2

LogLevel VERBOSE

# Optional: restrict users
# AllowUsers {{ALLOW_USERS}}