mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
132 lines
3 KiB
Django/Jinja
132 lines
3 KiB
Django/Jinja
# Attention, local changew will be overwritten
|
|
# MIT (C) L3D <l3d@c3woc.de>
|
|
# {{ ansible_managed }}
|
|
# This is the sshd server system-wide configuration file. See
|
|
# sshd_config(5) for more information.
|
|
|
|
{% if sshd__version_is_above_eight | default(false) | bool %}
|
|
# Include SSHD config snippets
|
|
Include /etc/ssh/sshd_config.d/*.conf
|
|
{% endif %}
|
|
|
|
# Networking
|
|
Port {{ sshd__port }}
|
|
AddressFamily any
|
|
#ListenAddress 0.0.0.0
|
|
#ListenAddress ::
|
|
|
|
TCPKeepAlive yes
|
|
|
|
# SSHD Key exchange
|
|
# -> HostkeyAlgorithms
|
|
{% if not sshd__manage_key_algorithmus | bool %}#{% endif -%}
|
|
{{ 'HostkeyAlgorithms ' }}
|
|
{%- for algo in sshd__key_algorithmus -%}
|
|
{{- algo -}}
|
|
{{- "," if not loop.last -}}
|
|
{%- endfor %}
|
|
|
|
# -> KexAlgorithms
|
|
{% if not sshd__manage_kex_algorithmus | bool %}#{% endif -%}
|
|
{{ 'KexAlgorithms ' }}
|
|
{%- for algo in sshd__kex_algorithmus -%}
|
|
{{- algo -}}
|
|
{{- "," if not loop.last -}}
|
|
{%- endfor %}
|
|
|
|
|
|
# Ciphers and keying
|
|
# RekeyLimit default none
|
|
# -> Ciphers
|
|
{% if not sshd__manage_ciphers | bool %}#{% endif -%}
|
|
{{ 'Ciphers ' }}
|
|
{%- for cipher in sshd__ciphers -%}
|
|
{{- cipher -}}
|
|
{{- "," if not loop.last -}}
|
|
{%- endfor %}
|
|
|
|
|
|
# -> Macs
|
|
{% if not sshd__manage_macs | bool %}#{% endif -%}
|
|
{{ 'MACs ' }}
|
|
{%- for mac in sshd__macs -%}
|
|
{{- mac -}}
|
|
{{- "," if not loop.last -}}
|
|
{%- endfor %}
|
|
|
|
# Server Authentication
|
|
Protocol 2
|
|
|
|
# Logging
|
|
SyslogFacility AUTH
|
|
LogLevel INFO
|
|
|
|
# SSHD Host Keys
|
|
{% for key in sshd__key_types %}
|
|
# -> {{ key }}
|
|
{% if not sshd__manage_key_types | bool %}#{% endif -%}
|
|
HostKey /etc/ssh/ssh_host_{{ key }}_key
|
|
{% endfor %}
|
|
|
|
|
|
# Client authentication
|
|
MaxAuthTries 6
|
|
MaxSessions 10
|
|
PasswordAuthentication {{ sshd__password_authentication | ternary('yes', 'no') }}
|
|
ChallengeResponseAuthentication no
|
|
PubkeyAuthentication yes
|
|
PermitRootLogin without-password
|
|
LoginGraceTime 120
|
|
StrictModes yes
|
|
X11Forwarding {{ sshd__xforwarding | ternary('yes', 'no') }}
|
|
|
|
AllowTcpForwarding yes
|
|
#GatewayPorts no
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|
|
|
|
PrintMotd no
|
|
PrintLastLog yes
|
|
TCPKeepAlive yes
|
|
|
|
#PermitUserEnvironment no
|
|
#Compression delayed
|
|
#ClientAliveInterval 0
|
|
#ClientAliveCountMax 3
|
|
#UseDNS no
|
|
#PidFile /var/run/sshd.pid
|
|
#MaxStartups 10:30:100
|
|
#PermitTunnel no
|
|
#ChrootDirectory none
|
|
#VersionAddendum none
|
|
|
|
# no default banner path
|
|
#Banner none
|
|
|
|
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
UsePAM yes
|
|
|
|
# User Authentication
|
|
{% if not sshd__restrict_users -%}#{%- endif -%}
|
|
AllowUsers {{ sshd__allowed_users|join(' ') }}
|
|
|
|
# Group Authentication
|
|
{% if not sshd__restrict_groups -%}#{%- endif -%}
|
|
AllowGroups {{ sshd__allowed_groups|join(' ') }}
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
# sftp (required by ansible)
|
|
# Subsystem sftp /usr/lib/openssh/sftp-server
|
|
{% if ansible_os_family == 'RedHat' %}
|
|
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
{% elif ansible_os_family == 'Archlinux' %}
|
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
|
{% else %}
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
{% endif %}
|