1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
ansible_role_sshd/templates/sshd_config.j2
2020-08-05 16:35:44 +02:00

125 lines
2.6 KiB
Django/Jinja

# Attention, local changew will be overwritten
# MIT (C) L3D <l3d@c3woc.de>
# {{ ansible_managed }}
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
{% if sshd__version_is_above_eight | default(false) | bool %}
Include /etc/ssh/sshd_config.d/*.conf
{% endif %}
# Networking
Port {{ sshd__port }}
AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
TCPKeepAlive yes
# Key exchange
{{ 'KexAlgorithms ' }}
{%- for algo in sshd__kex_algorithmus -%}
{{ algo }}{{ "," if not loop.last }}
{%- endfor %}
# Ciphers and keying
#RekeyLimit default none
{{ 'Ciphers ' }}
{%- for cipher in sshd__ciphers -%}
{{ cipher }}{{ "," if not loop.last }}
{%- endfor %}
# Logging
SyslogFacility AUTH
LogLevel INFO
# Macs
{{ 'MACs ' }}
{%- for mac in sshd__macs -%}
{{ mac }}{{ "," if not loop.last }}
{%- endfor %}
# Server Authentication
Protocol 2
{% if sshd__manage_key_types | bool -%}
# host key types
{% for key in sshd__key_types %}
HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %}
{%- endif %}
# HostKeyAlgorithms
# Maybe not available in openssh 6.7
{{ 'HostKeyAlgorithms ' }}
{%- for key in sshd__key_algorithmus -%}
{{ key }}{{ "," if not loop.last }}
{%- endfor %}
# Client authentication
MaxAuthTries 6
MaxSessions 10
PasswordAuthentication {{ sshd__password_authentication | ternary('yes', 'no') }}
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes
X11Forwarding {{ sshd__xforwarding | ternary('yes', 'no') }}
AllowTcpForwarding yes
#GatewayPorts no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# User Authentication
{% if sshd__restrict_users -%}
AllowUsers {{ sshd__allowed_users|join(' ') }}
{%- endif %}
{% if sshd__restrict_groups -%}
AllowUsers {{ sshd__allowed_groups|join(' ') }}
{%- endif %}
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
PrintMotd no
# sftp (required by ansible)
# Subsystem sftp /usr/lib/openssh/sftp-server
{% if ansible_os_family == 'RedHat' %}
Subsystem sftp /usr/libexec/openssh/sftp-server
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}