sshd_config.j2 4.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149
  1. {% if ansible_controlled is defined and ansible_controlled != "" %}
  2. #
  3. # {{ ansible_controlled }}
  4. #
  5. {% endif %}
  6. # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
  7. # This is the sshd server system-wide configuration file. See
  8. # sshd_config(5) for more information.
  9. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  10. # The strategy used for options in the default sshd_config shipped with
  11. # OpenSSH is to specify options with their default value where
  12. # possible, but leave them commented. Uncommented options override the
  13. # default value.
  14. {% for port in ssh_ports %}
  15. Port {{ port }}
  16. {% endfor %}
  17. #AddressFamily any
  18. #ListenAddress 0.0.0.0
  19. #ListenAddress ::
  20. #HostKey /etc/ssh/ssh_host_rsa_key
  21. #HostKey /etc/ssh/ssh_host_ecdsa_key
  22. #HostKey /etc/ssh/ssh_host_ed25519_key
  23. # Ciphers and keying
  24. #RekeyLimit default none
  25. {% if ssh_strengthened and ansible_lsb.major_release|int < 10 %}
  26. KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  27. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  28. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
  29. {% endif %}
  30. # Logging
  31. #SyslogFacility AUTH
  32. #LogLevel INFO
  33. # Authentication:
  34. #LoginGraceTime 2m
  35. #PermitRootLogin prohibit-password
  36. #StrictModes yes
  37. #MaxAuthTries 6
  38. #MaxSessions 10
  39. #PubkeyAuthentication yes
  40. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
  41. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
  42. #AuthorizedPrincipalsFile none
  43. #AuthorizedKeysCommand none
  44. #AuthorizedKeysCommandUser nobody
  45. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  46. #HostbasedAuthentication no
  47. # Change to yes if you don't trust ~/.ssh/known_hosts for
  48. # HostbasedAuthentication
  49. #IgnoreUserKnownHosts no
  50. # Don't read the user's ~/.rhosts and ~/.shosts files
  51. #IgnoreRhosts yes
  52. # To disable tunneled clear text passwords, change to no here!
  53. #PasswordAuthentication yes
  54. #PermitEmptyPasswords no
  55. # Change to yes to enable challenge-response passwords (beware issues with
  56. # some PAM modules and threads)
  57. ChallengeResponseAuthentication no
  58. # Kerberos options
  59. #KerberosAuthentication no
  60. #KerberosOrLocalPasswd yes
  61. #KerberosTicketCleanup yes
  62. #KerberosGetAFSToken no
  63. # GSSAPI options
  64. #GSSAPIAuthentication no
  65. #GSSAPICleanupCredentials yes
  66. #GSSAPIStrictAcceptorCheck yes
  67. #GSSAPIKeyExchange no
  68. # Set this to 'yes' to enable PAM authentication, account processing,
  69. # and session processing. If this is enabled, PAM authentication will
  70. # be allowed through the ChallengeResponseAuthentication and
  71. # PasswordAuthentication. Depending on your PAM configuration,
  72. # PAM authentication via ChallengeResponseAuthentication may bypass
  73. # the setting of "PermitRootLogin without-password".
  74. # If you just want the PAM account and session checks to run without
  75. # PAM authentication, then enable this but set PasswordAuthentication
  76. # and ChallengeResponseAuthentication to 'no'.
  77. UsePAM yes
  78. #AllowAgentForwarding yes
  79. #AllowTcpForwarding yes
  80. #GatewayPorts no
  81. #X11Forwarding yes
  82. #X11DisplayOffset 10
  83. #X11UseLocalhost yes
  84. #PermitTTY yes
  85. PrintMotd no
  86. #PrintLastLog yes
  87. #TCPKeepAlive yes
  88. #UseLogin no
  89. #UsePrivilegeSeparation sandbox
  90. #PermitUserEnvironment no
  91. #Compression delayed
  92. #ClientAliveInterval 0
  93. #ClientAliveCountMax 3
  94. #UseDNS no
  95. #PidFile /var/run/sshd.pid
  96. #MaxStartups 10:30:100
  97. #PermitTunnel no
  98. #ChrootDirectory none
  99. #VersionAddendum none
  100. # no default banner path
  101. #Banner none
  102. # Allow client to pass locale environment variables
  103. AcceptEnv LANG LC_*
  104. # override default of no subsystems
  105. Subsystem sftp /usr/lib/openssh/sftp-server
  106. # Example of overriding settings on a per-user basis
  107. #Match User anoncvs
  108. # X11Forwarding no
  109. # AllowTcpForwarding no
  110. # PermitTTY no
  111. # ForceCommand cvs server
  112. {% if ssh_allowed_users %}
  113. # Define users allowed to login
  114. AllowUsers {{ ssh_allowed_users | join(' ') }}
  115. {% endif %}
  116. {% if not ssh_allowed_users and ssh_allowed_groups %}
  117. # Define users groups allowed to login
  118. AllowGroups {{ ssh_allowed_groups | join(' ') }}
  119. {% endif %}
  120. {% if ssh_local_config is defined and ssh_local_config %}
  121. # Additional parameters
  122. {{ ssh_local_config|join('\n') }}
  123. {% endif %}