1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
ansible_role_sshd/templates/sshd_config.j2
2020-03-17 18:52:03 +01:00

128 lines
2.8 KiB
Django/Jinja

# Attention, local changew will be overwritten
# {{ ansible_managed }}
# Networking
Port {{ sshd.port }}
TCPKeepAlive yes
# Key exchange
KexAlgorithms
{%- for algo in sshd.kex_algorithmus -%}
{{ ' ' }}{{ algo }}{{ "," if not loop.last }}
{%- endfor %}
# Ciphers:
Ciphers
{%- for cipher in sshd.ciphers -%}
{{ ' ' }}{{ cipher }}{{ "," if not loop.last }}
{%- endfor %}
# Macs
MACs
{%- for mac in sshd.macs -%}
{{ ' ' }}{{ mac }}{{ "," if not loop.last }}
{%- endfor %}
# Server authentication
Protocol 2
{% if sshd.manage_key_types | bool -%}
# host key types
{% for key in sshd.key_types %}
HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %}
{%- endif %}
# HostKeyAlgorithms
# Maybe not available in openssh 6.7
HostKeyAlgorithms
{%- for key in sshd.key_algorithmus -%}
{{ ' ' }}{{ key }}{{ "," if not loop.last }}
{%- endfor %}
# Client authentication
PasswordAuthentication
{%- if sshd.password_authentication | bool -%}
yes
{%- else -%}
no
{%- endif %}
ChallengeResponseAuthentication no
PubkeyAuthentication yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
{#
# User Authentication
{% if restrict_allow_users|default(True) %}
AllowUsers {{ sshd_allow_users|join(' ') }}
AllowGroups {{ sshd_allow_groups|join(' ') }}
{% endif %}
PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes
# Not available in openssh 6.7
{% if only_allow_ed25519 == false %}# {%
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
# Symmetric ciphers
#Ciphers chacha20-poly1305@openssh.com,
# aes256-gcm@openssh.com,
# aes128-gcm@openssh.com,
# aes256-ctr,
# aes192-ctr,
# aes128-ctr
{% if ansible_distribution_release == 'wheezy' -%}
Ciphers aes192-ctr,aes256-ctr,arcfour256
{%- else -%}
Ciphers chacha20-poly1305@openssh.com
{%- if use_aes256_ctr -%}
,aes256-ctr
{%- endif -%}
{%- endif %}
# Message authentication codes
#MACs hmac-sha2-512-etm@openssh.com,
# hmac-sha2-256-etm@openssh.com,
# hmac-ripemd160-etm@openssh.com,
# umac-128-etm@openssh.com,
# hmac-sha2-512,
# hmac-sha2-256,
# hmac-ripemd160,
# umac-128@openssh.com
{% if ansible_distribution_release == 'wheezy' -%}
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
{%- else -%}
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
{%- if use_hmac_sha2_512 -%}
,hmac-sha2-512
{%- endif -%}
{%- endif %}
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
PrintMotd no
# sftp (required by ansible)
# Subsystem sftp /usr/lib/openssh/sftp-server
{% if ansible_os_family == 'RedHat' %}
Subsystem sftp /usr/libexec/openssh/sftp-server
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
# ETC
#}