1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
ansible_role_sshd/templates/sshd_config.j2
2022-08-31 12:01:10 +02:00

132 lines
3 KiB
Django/Jinja

# Attention, local changew will be overwritten
# MIT (C) L3D <l3d@c3woc.de>
# {{ ansible_managed }}
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
{% if sshd__version_is_above_eight | default(false) | bool %}
# Include SSHD config snippets
Include /etc/ssh/sshd_config.d/*.conf
{% endif %}
# Networking
Port {{ sshd__port }}
AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
TCPKeepAlive yes
# SSHD Key exchange
# -> HostkeyAlgorithms
{% if not sshd__manage_key_algorithmus | bool %}#{% endif -%}
{{ 'HostkeyAlgorithms ' }}
{%- for algo in sshd__key_algorithmus -%}
{{- algo -}}
{{- "," if not loop.last -}}
{%- endfor %}
# -> KexAlgorithms
{% if not sshd__manage_kex_algorithmus | bool %}#{% endif -%}
{{ 'KexAlgorithms ' }}
{%- for algo in sshd__kex_algorithmus -%}
{{- algo -}}
{{- "," if not loop.last -}}
{%- endfor %}
# Ciphers and keying
# RekeyLimit default none
# -> Ciphers
{% if not sshd__manage_ciphers | bool %}#{% endif -%}
{{ 'Ciphers ' }}
{%- for cipher in sshd__ciphers -%}
{{- cipher -}}
{{- "," if not loop.last -}}
{%- endfor %}
# -> Macs
{% if not sshd__manage_macs | bool %}#{% endif -%}
{{ 'MACs ' }}
{%- for mac in sshd__macs -%}
{{- mac -}}
{{- "," if not loop.last -}}
{%- endfor %}
# Server Authentication
Protocol 2
# Logging
SyslogFacility AUTH
LogLevel INFO
# SSHD Host Keys
{% for key in sshd__key_types %}
# -> {{ key }}
{% if not sshd__manage_key_types | bool %}#{% endif -%}
HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %}
# Client authentication
MaxAuthTries 6
MaxSessions 10
PasswordAuthentication {{ sshd__password_authentication | ternary('yes', 'no') }}
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes
X11Forwarding {{ sshd__xforwarding | ternary('yes', 'no') }}
AllowTcpForwarding yes
#GatewayPorts no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# User Authentication
{% if not sshd__restrict_users -%}#{%- endif -%}
AllowUsers {{ sshd__allowed_users|join(' ') }}
# Group Authentication
{% if not sshd__restrict_groups -%}#{%- endif -%}
AllowGroups {{ sshd__allowed_groups|join(' ') }}
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# sftp (required by ansible)
# Subsystem sftp /usr/lib/openssh/sftp-server
{% if ansible_os_family == 'RedHat' %}
Subsystem sftp /usr/libexec/openssh/sftp-server
{% elif ansible_os_family == 'Archlinux' %}
Subsystem sftp /usr/lib/ssh/sftp-server
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}