# Attention, local changew will be overwritten # MIT (C) L3D # {{ ansible_managed }} # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. Include /etc/ssh/sshd_config.d/*.conf # Networking Port {{ sshd.port }} AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: TCPKeepAlive yes # Key exchange {{ 'KexAlgorithms ' }} {%- for algo in sshd.kex_algorithmus -%} {{ algo }}{{ "," if not loop.last }} {%- endfor %} # Ciphers and keying #RekeyLimit default none {{ 'Ciphers ' }} {%- for cipher in sshd.ciphers -%} {{ cipher }}{{ "," if not loop.last }} {%- endfor %} # Logging SyslogFacility AUTH LogLevel INFO # Macs {{ 'MACs ' }} {%- for mac in sshd.macs -%} {{ mac }}{{ "," if not loop.last }} {%- endfor %} # Server Authentication Protocol 2 {% if sshd.manage_key_types | bool -%} # host key types {% for key in sshd.key_types %} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {%- endif %} # HostKeyAlgorithms # Maybe not available in openssh 6.7 {{ 'HostKeyAlgorithms ' }} {%- for key in sshd.key_algorithmus -%} {{ key }}{{ "," if not loop.last }} {%- endfor %} # Client authentication MaxAuthTries 6 MaxSessions 10 PasswordAuthentication {%- if sshd.password_authentication | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} {% endif %} ChallengeResponseAuthentication no PubkeyAuthentication yes PermitRootLogin without-password LoginGraceTime 120 StrictModes yes X11Forwarding {%- if sshd.xforwarding | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} {% endif %} AllowTcpForwarding yes #GatewayPorts no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # User Authentication {% if sshd.restrict_users -%} AllowUsers {{ sshd_allowed_users|join(' ') }} {%- endif %} {% if sshd.restrict_groups -%} AllowUsers {{ sshd_allowed_groups|join(' ') }} {%- endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* PrintMotd no # sftp (required by ansible) # Subsystem sftp /usr/lib/openssh/sftp-server {% if ansible_os_family == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %}