[meritt]

https://wiki.mozilla.org/Security/Guidelines/OpenSSH

While not exactly the solution you're looking for the Mozilla OpenSSH guidelines are quite better than the default sshd_config

[problems]

Seems fairly good - I would consider going 25519-only if you have compatible clients for kex and auth.

Some of their concerns with SSH agent forwarding are good too - but make me wonder if writing some little GUI that would have you allow or deny authentication requests would solve the problem.

[GordonS]

That is useful, thanks!