# Supported HostKey algorithms by order of preference.HostKey /etc/ssh/ssh_hos

1. # Supported HostKey algorithms by order of preference.
2. HostKey /etc/ssh/ssh_host_ed25519_key
3. HostKey /etc/ssh/ssh_host_rsa_key
4. HostKey /etc/ssh/ssh_host_ecdsa_key
5.  
6. KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
7.  
8. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
9.  
10. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
11.  
12. # Password based logins are disabled - only public key based logins are allowed.
13. AuthenticationMethods publickey
14.  
15. # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
16. LogLevel VERBOSE
17.  
18. # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
19. #
20. # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
21. # Additionally, only tools such as systemd and auditd record the process session id.
22. # On other OSes, the user session id is not necessarily recorded at all kernel-side.
23. # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
24. PermitRootLogin No
25.  
26. # Use kernel sandbox mechanisms where possible in unprivilegied processes
27. # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
28. UsePrivilegeSeparation sandbox