sshd_config.j2 2.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. # Package generated configuration file
  6. # See the sshd_config(5) manpage for details
  7. # What ports, IPs and protocols we listen for
  8. {% if ssh_port is defined %}
  9. Port {{ ssh_port }}
  10. {% else %}
  11. Port 22
  12. {% endif %}
  13. {% if ssh_ports_extra is defined %}
  14. {% for port in ssh_ports_extra %}
  15. Port {{ port }}
  16. {% endfor %}
  17. {% endif %}
  18. # Use these options to restrict which interfaces/protocols sshd will bind to
  19. #ListenAddress ::
  20. #ListenAddress 0.0.0.0
  21. Protocol 2
  22. # HostKeys for protocol version 2
  23. HostKey /etc/ssh/ssh_host_rsa_key
  24. HostKey /etc/ssh/ssh_host_dsa_key
  25. {% if ssh_ecdsa_key %}
  26. HostKey /etc/ssh/ssh_host_ecdsa_key
  27. {% endif %}
  28. #Privilege Separation is turned on for security
  29. UsePrivilegeSeparation yes
  30. # Lifetime and size of ephemeral version 1 server key
  31. KeyRegenerationInterval 3600
  32. ServerKeyBits 768
  33. # Logging
  34. SyslogFacility AUTH
  35. LogLevel INFO
  36. # Authentication:
  37. LoginGraceTime 120
  38. PermitRootLogin without-password
  39. StrictModes yes
  40. RSAAuthentication yes
  41. PubkeyAuthentication yes
  42. #AuthorizedKeysFile %h/.ssh/authorized_keys
  43. # Don't read the user's ~/.rhosts and ~/.shosts files
  44. IgnoreRhosts yes
  45. # For this to work you will also need host keys in /etc/ssh_known_hosts
  46. RhostsRSAAuthentication no
  47. # similar for protocol version 2
  48. HostbasedAuthentication no
  49. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  50. #IgnoreUserKnownHosts yes
  51. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  52. PermitEmptyPasswords no
  53. # Change to yes to enable challenge-response passwords (beware issues with
  54. # some PAM modules and threads)
  55. ChallengeResponseAuthentication no
  56. # Change to no to disable tunnelled clear text passwords
  57. #PasswordAuthentication yes
  58. # Kerberos options
  59. #KerberosAuthentication no
  60. #KerberosGetAFSToken no
  61. #KerberosOrLocalPasswd yes
  62. #KerberosTicketCleanup yes
  63. # GSSAPI options
  64. #GSSAPIAuthentication no
  65. #GSSAPICleanupCredentials yes
  66. X11Forwarding no
  67. X11DisplayOffset 10
  68. PrintMotd no
  69. PrintLastLog yes
  70. TCPKeepAlive yes
  71. #UseLogin no
  72. #MaxStartups 10:30:60
  73. #Banner /etc/issue.net
  74. # Allow client to pass locale environment variables
  75. AcceptEnv LANG LC_*
  76. Subsystem sftp /usr/lib/openssh/sftp-server
  77. # Set this to 'yes' to enable PAM authentication, account processing,
  78. # and session processing. If this is enabled, PAM authentication will
  79. # be allowed through the ChallengeResponseAuthentication and
  80. # PasswordAuthentication. Depending on your PAM configuration,
  81. # PAM authentication via ChallengeResponseAuthentication may bypass
  82. # the setting of "PermitRootLogin without-password".
  83. # If you just want the PAM account and session checks to run without
  84. # PAM authentication, then enable this but set PasswordAuthentication
  85. # and ChallengeResponseAuthentication to 'no'.
  86. UsePAM yes
  87. # Define users groups allowed to login
  88. AllowGroups root operator ssh