# Attention, local changew will be overwritten # MIT (C) L3D # {{ ansible_managed }} # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. {% if sshd__version_is_above_eight | default(false) | bool %} Include /etc/ssh/sshd_config.d/*.conf {% endif %} # Networking Port {{ sshd__port }} AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: TCPKeepAlive yes {% if sshd__manage_key_algorithmus | bool %} # Key exchange {{ 'HostkeyAlgorithms ' }} {%- for algo in sshd__key_algorithmus -%} {{ algo }}{{ "," if not loop.last }} {%- endfor %} {% endif %} {{ 'KexAlgorithms ' }} {%- for algo in sshd__kex_algorithmus -%} {{ algo }}{{ "," if not loop.last }} {%- endfor %} # Ciphers and keying #RekeyLimit default none {{ 'Ciphers ' }} {%- for cipher in sshd__ciphers -%} {{ cipher }}{{ "," if not loop.last }} {%- endfor %} # Logging SyslogFacility AUTH LogLevel INFO # Macs {{ 'MACs ' }} {%- for mac in sshd__macs -%} {{ mac }}{{ "," if not loop.last }} {%- endfor %} # Server Authentication Protocol 2 {% if sshd__manage_key_types | bool -%} # host key types {% for key in sshd__key_types %} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {%- endif %} {% if sshd__manage_kex_algorithmus | bool -%} # HostKeyAlgorithms # Maybe not available in openssh 6.7 {{ 'HostKeyAlgorithms ' }} {%- for key in sshd__key_algorithmus -%} {{ key }}{{ "," if not loop.last }} {%- endfor %} {% endif %} # Client authentication MaxAuthTries 6 MaxSessions 10 PasswordAuthentication {{ sshd__password_authentication | ternary('yes', 'no') }} ChallengeResponseAuthentication no PubkeyAuthentication yes PermitRootLogin without-password LoginGraceTime 120 StrictModes yes X11Forwarding {{ sshd__xforwarding | ternary('yes', 'no') }} AllowTcpForwarding yes #GatewayPorts no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # User Authentication {% if sshd__restrict_users -%} AllowUsers {{ sshd__allowed_users|join(' ') }} {% endif %} {% if sshd__restrict_groups -%} AllowUsers {{ sshd__allowed_groups|join(' ') }} {%- endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* PrintMotd no # sftp (required by ansible) # Subsystem sftp /usr/lib/openssh/sftp-server {% if ansible_os_family == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %}