{pkgs, ...}: {
  # Hardened OpenSSH server
  # Resources:
  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
  # ...more soon...
  services.openssh = {
    enable = true;

    allowSFTP = false;

    settings = {
      PermitRootLogin = "no";

      AllowUsers = ["user" "tasia"];

      # Public key authentiation only
      PasswordAuthentication = false;

      ChallengeResponseAuthentication = true;
      KbdInteractiveAuthentication = true;
      AuthenticationMethods = "publickey,keyboard-interactive";
    };
    extraConfig = ''
      # Only allow SSH v2
      Protocol 2


      # Check file modes in /etc/ssh
      StrictModes yes

      UsePrivilegeSeparation sandbox
      PrintLastLog yes

      # Don't mess with environment variables
      PermitUserEnvironment no
      # AcceptEnv

      AllowTcpForwarding no

      # wip
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
    '';
  };

  security.pam.services = {
    sshd.text = ''
      account required pam_unix.so # unix (order 10900)

      auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
      auth sufficient pam_permit.so

      session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
      session required pam_unix.so # unix (order 10200)
      session required pam_loginuid.so # loginuid (order 10300)
      session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
    '';
  };

  environment.systemPackages = with pkgs; [
    google-authenticator
  ];
}
# ssh R6: StrictHostKeyChecking ask