diff --git a/roles/common/templates/sshd_config_Debian-12.j2 b/roles/common/templates/sshd_config_Debian-12.j2
index 026c523..7cd6358 100644
--- a/roles/common/templates/sshd_config_Debian-12.j2
+++ b/roles/common/templates/sshd_config_Debian-12.j2
@@ -18,27 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf
 
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Ciphers and keying
 #RekeyLimit default none
 
 # Logging
 #SyslogFacility AUTH
-#LogLevel INFO
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
 
 # Authentication:
 
 #LoginGraceTime 2m
-PermitRootLogin yes
+PermitRootLogin prohibit-password
 #StrictModes yes
-#MaxAuthTries 6
+MaxAuthTries 4
 #MaxSessions 10
 
 #PubkeyAuthentication yes
 
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
 
 #AuthorizedPrincipalsFile none
 
@@ -87,7 +89,7 @@ UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-X11Forwarding yes
+X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
@@ -120,3 +122,21 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+# Is there a list of allowed users?
+# Is it populated? (An empty list is 'None', which evaluates as False in Python)
+# merge the items of a list into one string using a space as a separator
+# http://jinja.pocoo.org/docs/dev/templates/#join
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}