mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
128 lines
2.8 KiB
Django/Jinja
128 lines
2.8 KiB
Django/Jinja
# Attention, local changew will be overwritten
|
|
# {{ ansible_managed }}
|
|
|
|
# Networking
|
|
Port {{ sshd.port }}
|
|
|
|
TCPKeepAlive yes
|
|
|
|
# Key exchange
|
|
KexAlgorithms
|
|
{%- for algo in sshd.kex_algorithmus -%}
|
|
{{ ' ' }}{{ algo }}{{ "," if not loop.last }}
|
|
{%- endfor %}
|
|
|
|
|
|
# Ciphers:
|
|
Ciphers
|
|
{%- for cipher in sshd.ciphers -%}
|
|
{{ ' ' }}{{ cipher }}{{ "," if not loop.last }}
|
|
{%- endfor %}
|
|
|
|
|
|
# Macs
|
|
MACs
|
|
{%- for mac in sshd.macs -%}
|
|
{{ ' ' }}{{ mac }}{{ "," if not loop.last }}
|
|
{%- endfor %}
|
|
|
|
# Server authentication
|
|
Protocol 2
|
|
|
|
{% if sshd.manage_key_types | bool -%}
|
|
# host key types
|
|
{% for key in sshd.key_types %}
|
|
HostKey /etc/ssh/ssh_host_{{ key }}_key
|
|
{% endfor %}
|
|
{%- endif %}
|
|
|
|
|
|
# HostKeyAlgorithms
|
|
# Maybe not available in openssh 6.7
|
|
HostKeyAlgorithms
|
|
{%- for key in sshd.key_algorithmus -%}
|
|
{{ ' ' }}{{ key }}{{ "," if not loop.last }}
|
|
{%- endfor %}
|
|
|
|
|
|
# Client authentication
|
|
PasswordAuthentication
|
|
{%- if sshd.password_authentication | bool -%}
|
|
{{ ' yes' }}
|
|
{% else -%}
|
|
{{ ' no' }}
|
|
{% endif %}
|
|
ChallengeResponseAuthentication no
|
|
PubkeyAuthentication yes
|
|
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
UsePAM yes
|
|
|
|
{#
|
|
# User Authentication
|
|
{% if restrict_allow_users|default(True) %}
|
|
AllowUsers {{ sshd_allow_users|join(' ') }}
|
|
AllowGroups {{ sshd_allow_groups|join(' ') }}
|
|
{% endif %}
|
|
PermitRootLogin without-password
|
|
|
|
LoginGraceTime 120
|
|
|
|
StrictModes yes
|
|
|
|
# Not available in openssh 6.7
|
|
{% if only_allow_ed25519 == false %}# {%
|
|
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
|
|
|
|
# Symmetric ciphers
|
|
#Ciphers chacha20-poly1305@openssh.com,
|
|
# aes256-gcm@openssh.com,
|
|
# aes128-gcm@openssh.com,
|
|
# aes256-ctr,
|
|
# aes192-ctr,
|
|
# aes128-ctr
|
|
{% if ansible_distribution_release == 'wheezy' -%}
|
|
Ciphers aes192-ctr,aes256-ctr,arcfour256
|
|
{%- else -%}
|
|
Ciphers chacha20-poly1305@openssh.com
|
|
{%- if use_aes256_ctr -%}
|
|
,aes256-ctr
|
|
{%- endif -%}
|
|
{%- endif %}
|
|
|
|
|
|
# Message authentication codes
|
|
#MACs hmac-sha2-512-etm@openssh.com,
|
|
# hmac-sha2-256-etm@openssh.com,
|
|
# hmac-ripemd160-etm@openssh.com,
|
|
# umac-128-etm@openssh.com,
|
|
# hmac-sha2-512,
|
|
# hmac-sha2-256,
|
|
# hmac-ripemd160,
|
|
# umac-128@openssh.com
|
|
{% if ansible_distribution_release == 'wheezy' -%}
|
|
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
|
{%- else -%}
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
|
{%- if use_hmac_sha2_512 -%}
|
|
,hmac-sha2-512
|
|
{%- endif -%}
|
|
{%- endif %}
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
PrintMotd no
|
|
|
|
# sftp (required by ansible)
|
|
# Subsystem sftp /usr/lib/openssh/sftp-server
|
|
{% if ansible_os_family == 'RedHat' %}
|
|
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
{% else %}
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
{% endif %}
|
|
|
|
# ETC
|
|
#}
|