{
  # Hardened OpenSSH server
  # Resources:
  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
  services.openssh = {
    enable = true;

    allowSFTP = false;

    settings = {
      PermitRootLogin = "no";

      # Public key authentiation only
      PasswordAuthentication = false;
      ChallengeResponseAuthentication = false;
    };
    extraConfig = ''
      # Only allow SSH v2
      Protocol 2


      # Check file modes in /etc/ssh
      StrictModes yes

      UsePrivilegeSeparation sandbox
      PrintLastLog yes

      # Don't mess with environment variables
      PermitUserEnvironment no
      # AcceptEnv

      AllowTcpForwarding no

      # wip
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };
}
# ssh R6: StrictHostKeyChecking ask