roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04

From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH

roles/common/templates/sshd_config_Debian-9.j2

@@ -15,15 +15,17 @@
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-HostKey /etc/ssh/ssh_host_rsa_key
+# Supported HostKey algorithms by order of preference.
 HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
 
 # Ciphers and keying
 #RekeyLimit default none
 
 # Logging
 #SyslogFacility AUTH
-#LogLevel INFO
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
 
 # Authentication:
 
@@ -32,6 +34,8 @@ PermitRootLogin prohibit-password
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
+# Password based logins are disabled - only public key based logins are allowed.
+AuthenticationMethods publickey
 
 #PubkeyAuthentication yes
 
@@ -56,6 +60,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
+# Password based logins are disabled - only public key based logins are allowed.
+AuthenticationMethods publickey
+
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no