diff --git a/files/sshd_config b/files/sshd_config
new file mode 100644
index 0000000000000000000000000000000000000000..040bfc8ab0e6cfdc8629f6f33d5d4cdabf62821c
--- /dev/null
+++ b/files/sshd_config
@@ -0,0 +1,137 @@
+# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+#Port 22
+#AddressFamily any
+
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+PubkeyAuthentication yes
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication yes
+
+# Kerberos options
+KerberosAuthentication no
+KerberosOrLocalPasswd no
+KerberosTicketCleanup no
+
+# GSSAPI options
+GSSAPICleanupCredentials no
+#GSSAPIAuthentication no
+#GSSAPIStrictAcceptorCheck no
+#GSSAPIKeyExchange no
+#GSSAPIStoreCredentialsOnRekey no
+
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# Do not use DNS to resolv connections. To be able to log IP for a connection,
+# especially a failed one. Requested by Ulrik 2019-05-27 /Mika
+UseDNS no
+
+# no default banner path
+#Banner none
+
+Subsystem sftp /usr/libexec/openssh/sftp-server
+
+
+
+
+
+# # Nota bene: Puppet managed file, all local changes will be reverted.
+# Local variables:
+# mode: view
+# End:
diff --git a/manifests/init.pp b/manifests/init.pp
index b3b0b7770c6445ef1eff0ab0d70b105f4cf105da..615f995302d69de2dfb3eda90ecc92cb3c41d6c1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,4 +1,5 @@
class aes {
+ include aes::sftp
include aes::aes_sw
include aes::opendsa
include aes::squid_filter
diff --git a/manifests/sftp.pp b/manifests/sftp.pp
new file mode 100644
index 0000000000000000000000000000000000000000..66f884bc0bda3f46ff2d5bf8b8d06efc90e23ea5
--- /dev/null
+++ b/manifests/sftp.pp
@@ -0,0 +1,58 @@
+class aes::sftp {
+
+ # package {
+ # [
+ # 'openssh-server-7',
+ # ]:
+ # ensure => installed,
+ # }
+
+ group { "liuitdrs" :
+ ensure => present,
+ allowdupe => false,
+ auth_membership => false,
+ }
+
+ file { '/srv/liuitdrs' :
+ ensure => directory,
+ mode => '0750',
+ owner => root,
+ group => liuitdrs,
+ }
+
+ file { '/srv/liuitdrs/year' :
+ ensure => directory,
+ mode => '0770',
+ owner => root,
+ group => liuitdrs,
+ }
+
+ file { '/srv/liuitdrs/.ssh' :
+ ensure => directory,
+ mode => '0700',
+ owner => root,
+ group => liuitdrs,
+ }
+
+ # useradd -d /srv/liuitdrs -g liuitdrs -s /sbin/nologin USER
+ user { 'jondy94':
+ comment => 'Jon Dybeck',
+ shell => '/sbin/nologin',
+ home => '/srv/liuitdrs',
+ groups => liuitdrs,
+ }
+
+ # but this file is already managed by puppet
+ file { "/etc/ssh/sshd_config":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/sshd_config",
+ }
+
+ # service { "sshd" :
+ # ensure => "running",
+ # }
+
+}