# Attention, local changew will be overwritten # MIT (C) L3D # {{ ansible_managed }} # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. {% if sshd__version_is_above_eight | default(false) | bool %} # Include SSHD config snippets Include /etc/ssh/sshd_config.d/*.conf {% endif %} # Networking Port {{ sshd__port }} AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: TCPKeepAlive yes # SSHD Key exchange # -> HostkeyAlgorithms {% if not sshd__manage_key_algorithmus | bool %}#{% endif -%} {{ 'HostkeyAlgorithms ' }} {%- for algo in sshd__key_algorithmus -%} {{- algo -}} {{- "," if not loop.last -}} {%- endfor %} # -> KexAlgorithms {% if not sshd__manage_kex_algorithmus | bool %}#{% endif -%} {{ 'KexAlgorithms ' }} {%- for algo in sshd__kex_algorithmus -%} {{- algo -}} {{- "," if not loop.last -}} {%- endfor %} # Ciphers and keying # RekeyLimit default none # -> Ciphers {% if not sshd__manage_ciphers | bool %}#{% endif -%} {{ 'Ciphers ' }} {%- for cipher in sshd__ciphers -%} {{- cipher -}} {{- "," if not loop.last -}} {%- endfor %} # -> Macs {% if not sshd__manage_macs | bool %}#{% endif -%} {{ 'MACs ' }} {%- for mac in sshd__macs -%} {{- mac -}} {{- "," if not loop.last -}} {%- endfor %} # Server Authentication Protocol 2 # Logging SyslogFacility AUTH LogLevel INFO # SSHD Host Keys {% for key in sshd__key_types %} # -> {{ key }} {% if not sshd__manage_key_types | bool %}#{% endif -%} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} # Client authentication MaxAuthTries 6 MaxSessions 10 PasswordAuthentication {{ sshd__password_authentication | ternary('yes', 'no') }} ChallengeResponseAuthentication no PubkeyAuthentication yes PermitRootLogin without-password LoginGraceTime 120 StrictModes yes X11Forwarding {{ sshd__xforwarding | ternary('yes', 'no') }} AllowTcpForwarding yes #GatewayPorts no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # User Authentication {% if not sshd__restrict_users -%}#{%- endif -%} AllowUsers {{ sshd__allowed_users|join(' ') }} # Group Authentication {% if not sshd__restrict_groups -%}#{%- endif -%} AllowGroups {{ sshd__allowed_groups|join(' ') }} # Allow client to pass locale environment variables AcceptEnv LANG LC_* # sftp (required by ansible) # Subsystem sftp /usr/lib/openssh/sftp-server {% if ansible_os_family == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server {% elif ansible_os_family == 'Archlinux' %} Subsystem sftp /usr/lib/ssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %}