sshd_config.j2 3.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. # Package generated configuration file
  6. # See the sshd_config(5) manpage for details
  7. # What ports, IPs and protocols we listen for
  8. {% for port in ssh_ports %}
  9. Port {{ port }}
  10. {% endfor %}
  11. # Use these options to restrict which interfaces/protocols sshd will bind to
  12. #ListenAddress ::
  13. #ListenAddress 0.0.0.0
  14. Protocol 2
  15. # HostKeys for protocol version 2
  16. HostKey /etc/ssh/ssh_host_rsa_key
  17. HostKey /etc/ssh/ssh_host_dsa_key
  18. {% if ssh_ecdsa_key %}
  19. HostKey /etc/ssh/ssh_host_ecdsa_key
  20. {% endif %}
  21. #Privilege Separation is turned on for security
  22. UsePrivilegeSeparation yes
  23. {% if not ssh_usedns %}
  24. # Enable/Disable reverse DNS check
  25. # Avois long lag in case of IPv6 connection with no reverse configured
  26. UseDns no
  27. {% endif %}
  28. # Lifetime and size of ephemeral version 1 server key
  29. KeyRegenerationInterval 3600
  30. ServerKeyBits 1024
  31. # Logging
  32. SyslogFacility AUTH
  33. LogLevel INFO
  34. # Authentication:
  35. LoginGraceTime 120
  36. PermitRootLogin without-password
  37. StrictModes yes
  38. RSAAuthentication yes
  39. PubkeyAuthentication yes
  40. #AuthorizedKeysFile %h/.ssh/authorized_keys
  41. # Don't read the user's ~/.rhosts and ~/.shosts files
  42. IgnoreRhosts yes
  43. # For this to work you will also need host keys in /etc/ssh_known_hosts
  44. RhostsRSAAuthentication no
  45. # similar for protocol version 2
  46. HostbasedAuthentication no
  47. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  48. #IgnoreUserKnownHosts yes
  49. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  50. PermitEmptyPasswords no
  51. # Change to yes to enable challenge-response passwords (beware issues with
  52. # some PAM modules and threads)
  53. ChallengeResponseAuthentication no
  54. # Change to no to disable tunnelled clear text passwords
  55. #PasswordAuthentication yes
  56. # Kerberos options
  57. #KerberosAuthentication no
  58. #KerberosGetAFSToken no
  59. #KerberosOrLocalPasswd yes
  60. #KerberosTicketCleanup yes
  61. # GSSAPI options
  62. #GSSAPIAuthentication no
  63. #GSSAPICleanupCredentials yes
  64. X11Forwarding no
  65. X11DisplayOffset 10
  66. PrintMotd no
  67. PrintLastLog yes
  68. TCPKeepAlive yes
  69. #UseLogin no
  70. #MaxStartups 10:30:60
  71. #Banner /etc/issue.net
  72. # Allow client to pass locale environment variables
  73. AcceptEnv LANG LC_*
  74. Subsystem sftp /usr/lib/openssh/sftp-server
  75. # Set this to 'yes' to enable PAM authentication, account processing,
  76. # and session processing. If this is enabled, PAM authentication will
  77. # be allowed through the ChallengeResponseAuthentication and
  78. # PasswordAuthentication. Depending on your PAM configuration,
  79. # PAM authentication via ChallengeResponseAuthentication may bypass
  80. # the setting of "PermitRootLogin without-password".
  81. # If you just want the PAM account and session checks to run without
  82. # PAM authentication, then enable this but set PasswordAuthentication
  83. # and ChallengeResponseAuthentication to 'no'.
  84. UsePAM yes
  85. # Maximum number of authentication attempts permitted per connection
  86. MaxAuthTries 3
  87. {% if ssh_allowed_users %}
  88. # Define users allowed to login
  89. AllowUsers {{ ssh_allowed_users | join(' ') }}
  90. {% endif %}
  91. {% if not ssh_allowed_users and ssh_allowed_groups %}
  92. # Define users groups allowed to login
  93. AllowGroups {{ ssh_allowed_groups | join(' ') }}
  94. {% endif %}