# Attention, local changew will be overwritten # MIT (C) L3D # {{ ansible_managed }} # Networking Port {{ sshd.port }} TCPKeepAlive yes # Key exchange {{ 'KexAlgorithms ' }} {%- for algo in sshd.kex_algorithmus -%} {{ algo }}{{ "," if not loop.last }} {%- endfor %} # Ciphers: {{ 'Ciphers ' }} {%- for cipher in sshd.ciphers -%} {{ cipher }}{{ "," if not loop.last }} {%- endfor %} # Macs {{ 'MACs ' }} {%- for mac in sshd.macs -%} {{ mac }}{{ "," if not loop.last }} {%- endfor %} # Server authentication Protocol 2 {% if sshd.manage_key_types | bool -%} # host key types {% for key in sshd.key_types %} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {%- endif %} # HostKeyAlgorithms # Maybe not available in openssh 6.7 {{ 'HostKeyAlgorithms ' }} {%- for key in sshd.key_algorithmus -%} {{ key }}{{ "," if not loop.last }} {%- endfor %} # Client authentication PasswordAuthentication {%- if sshd.password_authentication | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} {% endif %} ChallengeResponseAuthentication no PubkeyAuthentication yes PermitRootLogin without-password LoginGraceTime 120 StrictModes yes X11Forwarding {%- if sshd.xforwarding | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} {% endif %} # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # User Authentication {% if sshd.restrict_users -%} AllowUsers {{ sshd_allowed_users|join(' ') }} {%- endif %} {% if sshd.restrict_groups -%} AllowUsers {{ sshd_allowed_groups|join(' ') }} {%- endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* PrintMotd no # sftp (required by ansible) # Subsystem sftp /usr/lib/openssh/sftp-server {% if ansible_os_family == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %}