diff --git a/templates/sshd_config.conf.j2 b/templates/sshd_config.conf.j2
index 8bd5e073b3edfb505c08344af70c7f4eae29a7b2..a64d3ec5aee62588efe3d8491095b4abbd9a734c 100644
--- a/templates/sshd_config.conf.j2
+++ b/templates/sshd_config.conf.j2
@@ -1,11 +1,7 @@
-# MANAGED BY ANSIBLE
-# EVERY CHANGE WILL BE PURGED
-
 {% for item in sshd_ports %}
 Port {{ item }}
 {% endfor %}
 
-#AddressFamily any
 {% for item in sshd_listen_addresses %}
 ListenAddress {{ item }}
 {% endfor %}
@@ -16,7 +12,7 @@ PubkeyAuthentication {{ 'yes' if sshd_allow_pubkeys else 'no' }}
 PasswordAuthentication {{ 'yes' if sshd_allow_passwords else 'no' }}
 PermitEmptyPasswords no
 
-AuthorizedKeysFile     .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
 ChallengeResponseAuthentication no
 
 UsePAM yes
@@ -30,16 +26,26 @@ TCPKeepAlive yes
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-###### EVERYTHING BELOW IS SUGGESTED BY MOZILLA ######
-
-LogLevel VERBOSE
+######## EVERYTHING BELOW IS SUGGESTED BY MOZILLA #########
+# See https://infosec.mozilla.org/guidelines/openssh.html #
 
+# Supported HostKey algorithms by order of preference.
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 
-Subsystem       sftp    /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
-
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# Use kernel sandbox mechanisms where possible in unprivileged processes
+# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
+UsePrivilegeSeparation sandbox