<%
	import os

	ssh_config = middleware.call_sync('ssh.config')
	if not os.path.exists('/root/.ssh'):
		os.makedirs('/root/.ssh')

	if not ssh_config['sftp_log_level']:
		ssh_config['sftp_log_level'] = 'ERROR'

	if not ssh_config['sftp_log_facility']:
		ssh_config['sftp_log_facility'] = 'AUTH'

	ifaces = middleware.call_sync('interface.query', [['name', 'in', ssh_config['bindiface']]])
	bind_ifaces = []
	for iface in ifaces:
		for alias in iface.get('state', {}).get('aliases', []):
			if alias.get('type') in ('INET', 'INET6') and alias.get('address'):
				bind_ifaces.append(alias['address'])

	if bind_ifaces:
		bind_ifaces.insert(0, '127.0.0.1')
%>\
Subsystem	sftp	/usr/libexec/sftp-server -l ${ssh_config['sftp_log_level']} -f ${ssh_config['sftp_log_facility']}
% if 'Protocol' not in ssh_config['options']:
Protocol 2
% endif
% if 'UseDNS' not in ssh_config['options']:
UseDNS no
% endif
% if 'ChallengeResponseAuthentication' not in ssh_config['options']:
ChallengeResponseAuthentication no
% endif
% if 'ClientAliveCountMax' not in ssh_config['options']:
ClientAliveCountMax 3
% endif
% if 'ClientAliveInterval' not in ssh_config['options']:
ClientAliveInterval 15
% endif
% if 'NoneEnabled' not in ssh_config['options']:
NoneEnabled yes
% endif
% if 'VersionAddendum' not in ssh_config['options']:
VersionAddendum none
% endif
## Add aes128-cbc by default. See #20044
% if 'Ciphers' not in ssh_config['options']:
Ciphers +aes128-cbc
% endif
% if ssh_config['tcpport'] > 0:
Port ${ssh_config['tcpport']}
% endif
% for ip in bind_ifaces:
ListenAddress ${ip}
% endfor
% if ssh_config['rootlogin']:
PermitRootLogin yes
% else:
PermitRootLogin without-password
% endif
% if ssh_config['tcpfwd']:
AllowTcpForwarding yes
% else:
AllowTcpForwarding no
% endif
% if ssh_config['compression']:
Compression delayed
% else:
Compression no
% endif
% if ssh_config['passwordauth']:
PasswordAuthentication yes
% endif
% if ssh_config['kerberosauth']:
GSSAPIAuthentication yes
% endif
PubkeyAuthentication yes
${ssh_config['options']}
