# Attention, local changew will be overwritten # {{ ansible_managed }} # Networking Port {{ sshd.port }} TCPKeepAlive yes # Key exchange KexAlgorithms {%- for algo in sshd.kex_algorithmus -%} {{ ' ' }}{{ algo }}{{ "," if not loop.last }} {%- endfor %} # Ciphers: Ciphers {%- for cipher in sshd.ciphers -%} {{ ' ' }}{{ cipher }}{{ "," if not loop.last }} {%- endfor %} # Macs MACs {%- for mac in sshd.macs -%} {{ ' ' }}{{ mac }}{{ "," if not loop.last }} {%- endfor %} # Server authentication Protocol 2 {% if sshd.manage_key_types | bool -%} # host key types {% for key in sshd.key_types %} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {%- endif %} # HostKeyAlgorithms # Maybe not available in openssh 6.7 HostKeyAlgorithms {%- for key in sshd.key_algorithmus -%} {{ ' ' }}{{ key }}{{ "," if not loop.last }} {%- endfor %} # Client authentication PasswordAuthentication {%- if sshd.password_authentication | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} {% endif %} ChallengeResponseAuthentication no PubkeyAuthentication yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes {# # User Authentication {% if restrict_allow_users|default(True) %} AllowUsers {{ sshd_allow_users|join(' ') }} AllowGroups {{ sshd_allow_groups|join(' ') }} {% endif %} PermitRootLogin without-password LoginGraceTime 120 StrictModes yes # Not available in openssh 6.7 {% if only_allow_ed25519 == false %}# {% endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Symmetric ciphers #Ciphers chacha20-poly1305@openssh.com, # aes256-gcm@openssh.com, # aes128-gcm@openssh.com, # aes256-ctr, # aes192-ctr, # aes128-ctr {% if ansible_distribution_release == 'wheezy' -%} Ciphers aes192-ctr,aes256-ctr,arcfour256 {%- else -%} Ciphers chacha20-poly1305@openssh.com {%- if use_aes256_ctr -%} ,aes256-ctr {%- endif -%} {%- endif %} # Message authentication codes #MACs hmac-sha2-512-etm@openssh.com, # hmac-sha2-256-etm@openssh.com, # hmac-ripemd160-etm@openssh.com, # umac-128-etm@openssh.com, # hmac-sha2-512, # hmac-sha2-256, # hmac-ripemd160, # umac-128@openssh.com {% if ansible_distribution_release == 'wheezy' -%} MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 {%- else -%} MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com {%- if use_hmac_sha2_512 -%} ,hmac-sha2-512 {%- endif -%} {%- endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* PrintMotd no # sftp (required by ansible) # Subsystem sftp /usr/lib/openssh/sftp-server {% if ansible_os_family == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %} # ETC #}