# Attention, local changew will be overwritten # MIT (C) L3D # {{ ansible_managed }} # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. {% if _sshd_version | default(7.0) | float > 8.0 %} # Include SSHD config snippets # Support fot this starts with sshd 8.0 Include /etc/ssh/sshd_config.d/*.conf {% endif %} # Networking Port {{ l3d_users__sshd_port }} AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: TCPKeepAlive yes # SSHD Key exchange {% if l3d_users__sshd_manage_key_algorithmus | bool %} # -> HostkeyAlgorithms HostkeyAlgorithms {{ l3d_users__sshd_key_algorithmus | join(',') }} {% else %} # No HostkeyAlgorithms defined {% endif %} {% if l3d_users__sshd_manage_kex_algorithmus | bool %} # -> KexAlgorithms KexAlgorithms {{ l3d_users__sshd_kex_algorithmus | join(',') }} {% else %} # No KexAlgorithms defined {% endif %} # Ciphers and keying {% if l3d_users__sshd_manage_ciphers | bool %} # -> Ciphers Ciphers {{ l3d_users__sshd_ciphers | join(',') }} {% else %} # No Ciphers defined {% endif %} {% if l3d_users__sshd_manage_macs | bool %} # -> Macs MACs {{ l3d_users__sshd_macs | join(',') }} {% else %} # No MACs defined {% endif %} # Server Authentication Protocol 2 # Logging SyslogFacility AUTH LogLevel INFO # SSHD Host Keys {% if l3d_users__sshd_manage_server_key_types | bool %} {% for key in l3d_users__sshd_server_key_types %} # -> {{ key }} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {% endif %} # Client authentication MaxAuthTries 6 MaxSessions 10 PasswordAuthentication {{ l3d_users__sshd_password_authentication | ternary('yes', 'no') }} ChallengeResponseAuthentication no PubkeyAuthentication yes PermitRootLogin {{ l3d_users__sshd_permitrootlogin | ternary('without-password', 'no') }} LoginGraceTime 120 StrictModes yes X11Forwarding {{ l3d_users__sshd_xforwarding | ternary('yes', 'no') }} AllowTcpForwarding yes #GatewayPorts no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes {% set _sshd_accounts = [] %} {% for user in _l3d_users__merged_users %} {% if user.name is defined and user.state | default('present') == 'present' %} {% set _ = _sshd_accounts.append(user.name) %} {% endif %} {% endfor %} # User Authentication {% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and not l3d_users__sshd_permitrootlogin | bool %} AllowUsers ansible {{ _sshd_accounts | join(' ') }} # Group Authentication AllowGroups ansible {{ _sshd_accounts | join(' ') }} {% elif l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and l3d_users__sshd_permitrootlogin | bool %} AllowUsers root ansible {{ _sshd_accounts | join(' ') }} # Group Authentication AllowGroups root ansible {{ _sshd_accounts | join(' ') }} {% elif not l3d_users__create_ansible | bool and l3d_users__sshd_permitrootlogin | bool %} AllowUsers root {{ _sshd_accounts | join(' ') }} # Group Authentication AllowGroups root {{ _sshd_accounts | join(' ') }} {% else %} AllowUsers {{ _sshd_accounts | join(' ') }} # Group Authentication AllowGroups {{ _sshd_accounts | join(' ') }} {% endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* # sftp (required by ansible) # Subsystem sftp /usr/lib/openssh/sftp-server {% if ansible_os_family == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %}