sshd_config.legacy.j2 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. # Package generated configuration file
  6. # See the sshd_config(5) manpage for details
  7. # What ports, IPs and protocols we listen for
  8. {% for port in ssh_ports %}
  9. Port {{ port }}
  10. {% endfor %}
  11. # Use these options to restrict which interfaces/protocols sshd will bind to
  12. #ListenAddress ::
  13. #ListenAddress 0.0.0.0
  14. Protocol 2
  15. # HostKeys for protocol version 2
  16. HostKey /etc/ssh/ssh_host_rsa_key
  17. HostKey /etc/ssh/ssh_host_dsa_key
  18. {% if ansible_lsb.major_release|int >= 7 %}
  19. HostKey /etc/ssh/ssh_host_ecdsa_key
  20. {% endif %}
  21. {% if ansible_lsb.major_release|int >= 8 %}
  22. HostKey /etc/ssh/ssh_host_ed25519_key
  23. {% endif %}
  24. #Privilege Separation is turned on for security
  25. UsePrivilegeSeparation yes
  26. {% if not ssh_usedns %}
  27. # Enable/Disable reverse DNS check
  28. # Avois long lag in case of IPv6 connection with no reverse configured
  29. UseDns no
  30. {% endif %}
  31. # Lifetime and size of ephemeral version 1 server key
  32. KeyRegenerationInterval 3600
  33. ServerKeyBits 1024
  34. # Logging
  35. SyslogFacility AUTH
  36. LogLevel INFO
  37. # Authentication:
  38. LoginGraceTime 120
  39. PermitRootLogin without-password
  40. StrictModes yes
  41. RSAAuthentication yes
  42. PubkeyAuthentication yes
  43. #AuthorizedKeysFile %h/.ssh/authorized_keys
  44. # Don't read the user's ~/.rhosts and ~/.shosts files
  45. IgnoreRhosts yes
  46. # For this to work you will also need host keys in /etc/ssh_known_hosts
  47. RhostsRSAAuthentication no
  48. # similar for protocol version 2
  49. HostbasedAuthentication no
  50. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  51. #IgnoreUserKnownHosts yes
  52. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  53. PermitEmptyPasswords no
  54. # Change to yes to enable challenge-response passwords (beware issues with
  55. # some PAM modules and threads)
  56. ChallengeResponseAuthentication no
  57. # Change to no to disable tunnelled clear text passwords
  58. #PasswordAuthentication yes
  59. # Kerberos options
  60. #KerberosAuthentication no
  61. #KerberosGetAFSToken no
  62. #KerberosOrLocalPasswd yes
  63. #KerberosTicketCleanup yes
  64. # GSSAPI options
  65. #GSSAPIAuthentication no
  66. #GSSAPICleanupCredentials yes
  67. X11Forwarding no
  68. X11DisplayOffset 10
  69. PrintMotd no
  70. PrintLastLog yes
  71. TCPKeepAlive yes
  72. #UseLogin no
  73. #MaxStartups 10:30:60
  74. #Banner /etc/issue.net
  75. # Allow client to pass locale environment variables
  76. AcceptEnv LANG LC_*
  77. Subsystem sftp /usr/lib/openssh/sftp-server
  78. # Set this to 'yes' to enable PAM authentication, account processing,
  79. # and session processing. If this is enabled, PAM authentication will
  80. # be allowed through the ChallengeResponseAuthentication and
  81. # PasswordAuthentication. Depending on your PAM configuration,
  82. # PAM authentication via ChallengeResponseAuthentication may bypass
  83. # the setting of "PermitRootLogin without-password".
  84. # If you just want the PAM account and session checks to run without
  85. # PAM authentication, then enable this but set PasswordAuthentication
  86. # and ChallengeResponseAuthentication to 'no'.
  87. UsePAM yes
  88. # Maximum number of authentication attempts permitted per connection
  89. MaxAuthTries 3
  90. {% if ssh_allowed_users %}
  91. # Define users allowed to login
  92. AllowUsers {{ ssh_allowed_users | join(' ') }}
  93. {% endif %}
  94. {% if not ssh_allowed_users and ssh_allowed_groups %}
  95. # Define users groups allowed to login
  96. AllowGroups {{ ssh_allowed_groups | join(' ') }}
  97. {% endif %}
  98. {% if ssh_local_config is defined and ssh_local_config %}
  99. # Additional parameters
  100. {{ ssh_local_config|join('\n') }}
  101. {% endif %}