sshd_config.j2 4.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
  6. # This is the sshd server system-wide configuration file. See
  7. # sshd_config(5) for more information.
  8. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  9. # The strategy used for options in the default sshd_config shipped with
  10. # OpenSSH is to specify options with their default value where
  11. # possible, but leave them commented. Uncommented options override the
  12. # default value.
  13. {% for port in ssh_ports %}
  14. Port {{ port }}
  15. {% endfor %}
  16. #AddressFamily any
  17. #ListenAddress 0.0.0.0
  18. #ListenAddress ::
  19. #HostKey /etc/ssh/ssh_host_rsa_key
  20. #HostKey /etc/ssh/ssh_host_ecdsa_key
  21. #HostKey /etc/ssh/ssh_host_ed25519_key
  22. # Ciphers and keying
  23. #RekeyLimit default none
  24. {% if ssh_strengthened %}
  25. KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  26. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  27. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
  28. {% endif %}
  29. # Logging
  30. #SyslogFacility AUTH
  31. #LogLevel INFO
  32. # Authentication:
  33. #LoginGraceTime 2m
  34. #PermitRootLogin prohibit-password
  35. #StrictModes yes
  36. #MaxAuthTries 6
  37. #MaxSessions 10
  38. #PubkeyAuthentication yes
  39. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
  40. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
  41. #AuthorizedPrincipalsFile none
  42. #AuthorizedKeysCommand none
  43. #AuthorizedKeysCommandUser nobody
  44. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  45. #HostbasedAuthentication no
  46. # Change to yes if you don't trust ~/.ssh/known_hosts for
  47. # HostbasedAuthentication
  48. #IgnoreUserKnownHosts no
  49. # Don't read the user's ~/.rhosts and ~/.shosts files
  50. #IgnoreRhosts yes
  51. # To disable tunneled clear text passwords, change to no here!
  52. #PasswordAuthentication yes
  53. #PermitEmptyPasswords no
  54. # Change to yes to enable challenge-response passwords (beware issues with
  55. # some PAM modules and threads)
  56. ChallengeResponseAuthentication no
  57. # Kerberos options
  58. #KerberosAuthentication no
  59. #KerberosOrLocalPasswd yes
  60. #KerberosTicketCleanup yes
  61. #KerberosGetAFSToken no
  62. # GSSAPI options
  63. #GSSAPIAuthentication no
  64. #GSSAPICleanupCredentials yes
  65. #GSSAPIStrictAcceptorCheck yes
  66. #GSSAPIKeyExchange no
  67. # Set this to 'yes' to enable PAM authentication, account processing,
  68. # and session processing. If this is enabled, PAM authentication will
  69. # be allowed through the ChallengeResponseAuthentication and
  70. # PasswordAuthentication. Depending on your PAM configuration,
  71. # PAM authentication via ChallengeResponseAuthentication may bypass
  72. # the setting of "PermitRootLogin without-password".
  73. # If you just want the PAM account and session checks to run without
  74. # PAM authentication, then enable this but set PasswordAuthentication
  75. # and ChallengeResponseAuthentication to 'no'.
  76. UsePAM yes
  77. #AllowAgentForwarding yes
  78. #AllowTcpForwarding yes
  79. #GatewayPorts no
  80. #X11Forwarding yes
  81. #X11DisplayOffset 10
  82. #X11UseLocalhost yes
  83. #PermitTTY yes
  84. PrintMotd no
  85. #PrintLastLog yes
  86. #TCPKeepAlive yes
  87. #UseLogin no
  88. #UsePrivilegeSeparation sandbox
  89. #PermitUserEnvironment no
  90. #Compression delayed
  91. #ClientAliveInterval 0
  92. #ClientAliveCountMax 3
  93. #UseDNS no
  94. #PidFile /var/run/sshd.pid
  95. #MaxStartups 10:30:100
  96. #PermitTunnel no
  97. #ChrootDirectory none
  98. #VersionAddendum none
  99. # no default banner path
  100. #Banner none
  101. # Allow client to pass locale environment variables
  102. AcceptEnv LANG LC_*
  103. # override default of no subsystems
  104. Subsystem sftp /usr/lib/openssh/sftp-server
  105. # Example of overriding settings on a per-user basis
  106. #Match User anoncvs
  107. # X11Forwarding no
  108. # AllowTcpForwarding no
  109. # PermitTTY no
  110. # ForceCommand cvs server
  111. {% if ssh_allowed_users %}
  112. # Define users allowed to login
  113. AllowUsers {{ ssh_allowed_users | join(' ') }}
  114. {% endif %}
  115. {% if not ssh_allowed_users and ssh_allowed_groups %}
  116. # Define users groups allowed to login
  117. AllowGroups {{ ssh_allowed_groups | join(' ') }}
  118. {% endif %}
  119. {% if ssh_local_config is defined and ssh_local_config %}
  120. # Additional parameters
  121. {{ ssh_local_config|join('\n') }}
  122. {% endif %}