ansible/akb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update..

Browse Source
This commit is contained in:
Christoph 2020-09-26 13:47:54 +02:00
parent f78a7f3565
commit 52858bf02c
17 changed files with 2100 additions and 1021 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
group_vars/all/main.yml
View File

@ -15,6 +15,65 @@ locales:
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 22
sshd_listen_address:
- '::'
- '0.0.0.0'
sshd_host_keys:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
sshd_max_startups: !!str "10:30:100"
sshd_max_auth_tries: 3
sshd_max_sessions: 10
sshd_permit_root_login: !!str "yes"
sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
sshd_pubkey_authentication: !!str "yes"
sshd_password_authentication: !!str "no"
sshd_use_pam: !!str "yes"
sshd_print_motd: !!str "no"
# sshd_kexalgorithms
#
# Example:
# sshd_kexalgorithms:
# - curve25519-sha256@libssh.org
# - diffie-hellman-group-exchange-sha256
# - diffie-hellman-group14-sha1
#
sshd_kexalgorithms: {}
# sshd_kexalgorithms
#
# Example:
# sshd_ciphers:
# - chacha20-poly1305@openssh.com
# - aes256-gcm@openssh.com
# - aes256-ctr
sshd_ciphers: {}
sshd_use_dns: !!str "no"
sshd_allowed_users: {}
# ==========
# vars used by roles/common/tasks/apt.yml
# ==========
@ -156,6 +215,7 @@ apt_initial_install_stretch:
- quotatool
- needrestart
- socat
- wakeonlan
apt_initial_install_buster:
- apt-transport-https
@ -268,6 +328,7 @@ apt_initial_install_buster:
- quotatool
- needrestart
- socat
- wakeonlan
apt_initial_install_xenial:
- apt-transport-https
@ -625,6 +686,17 @@ nfs_exports:
- 192.168.63.0/24
fs_encrypted: false
- src: 192.168.82.10:/data/samba
path: /data/samba
mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr
export_opt: rw,fsid=0,root_squash,sync,subtree_check
export_networks:
- 192.168.82.0/24
- 10.0.82.0/24
- 10.1.82.0/24
- 192.168.63.0/24
fs_encrypted: false
# ==========
# vars used by roles/common/tasks/samba-install.yml
@ -634,6 +706,8 @@ apt_install_server_samba:
- samba
- nscd
# - winbind
apt_install_client_samba:
- samba-client
- samba-common
@ -860,6 +934,9 @@ nis_user:
samba_shares:
- name: Transfer
path: /data/samba/Transfer
group_valid_users: transfer
group_write_list: transfer
user:
- anna
- buero
@ -872,6 +949,9 @@ samba_shares:
- thomas
- frauke
- name: Verwaltung
path: /data/samba/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
user:
- anna
- jonas
@ -886,6 +966,9 @@ samba_shares:
- thomas
- frauke
- name: Scans
path: /data/samba/Scans
group_valid_users: scans
group_write_list: scans
user:
- anna
- buero
@ -899,30 +982,57 @@ samba_shares:
- thomas
- frauke
- name: Buero_Scans
path: /data/samba/Scans/Buero_Scans
group_valid_users: scans
group_write_list: scans
user:
- buero
- name: Frauke_Scans
path: /data/samba/Scans/Frauke_Scans
group_valid_users: scans
group_write_list: scans
user:
- frauke
- name: FSJ_Scans
path: /data/samba/Scans/FSJ_Scans
group_valid_users: scans
group_write_list: scans
user:
- fsj
- name: Jibran_Scans
path: /data/samba/Scans/Jibran_Scans
group_valid_users: scans
group_write_list: scans
user:
- jibran
- name: Julia_Scans
path: /data/samba/Scans/Julia_Scans
group_valid_users: scans
group_write_list: scans
user:
- julia
- name: Maica_scans
path: /data/samba/Scans/Maica_scans
group_valid_users: scans
group_write_list: scans
user:
- maica
- name: Thomas_Scans
path: /data/samba/Scans/Thomas_Scans
group_valid_users: scans
group_write_list: scans
user:
- thomas
- name: Birgit_Scans
path: /data/samba/Scans/Birgit_Scans
group_valid_users: scans
group_write_list: scans
user:
- birgit
- name: Kamera
path: /data/samba/Kamera
group_valid_users: intern
group_write_list: intern
user:
- anna
- buero
@ -933,6 +1043,9 @@ samba_shares:
- thomas
- frauke
- name: Install
path: /data/samba/Install
group_valid_users: intern
group_write_list: intern
user:
- anna
- buero

67
host_vars/192.168.82.20.yml Normal file
View File

@ -0,0 +1,67 @@
---
ansible_python_interpreter: /usr/bin/python3
# ---
# vars used by roles/common/tasks/basic.yml
# ---
set_default_limit_nofile: true
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_max_auth_tries: 6
sshd_permit_root_login: !!str "yes"
sshd_password_authentication: !!str "yes"
sshd_use_pam: !!str "no"
sshd_print_motd: !!str "yes"
# ==========
# vars used by roles/common/tasks/nfs.yml
# ==========
nfs_server: 192.168.82.20
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
nfs_exports:
- src: 192.168.82.20:/data/home
path: /data/home
mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr
export_opt: rw,fsid=0,root_squash,sync,subtree_check
export_networks:
- 192.168.82.0/24
- 10.0.82.0/24
- 10.1.82.0/24
- 192.168.63.0/24
fs_encrypted: false
- src: 192.168.82.20:/data/samba
path: /data/samba
mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr
export_opt: rw,fsid=0,root_squash,sync,subtree_check
export_networks:
- 192.168.82.0/24
- 10.0.82.0/24
- 10.1.82.0/24
- 192.168.63.0/24
fs_encrypted: false
# ==========
# vars used by roles/common/tasks/nis-install-server.yml
# vars used by roles/common/tasks/nis-user.yml
# vars used by roles/common/tasks/nis-install-client.yml
# ==========
# also used by template
# - yp.conf.j2
nis_server_address: 192.168.82.10

21
host_vars/file-akb.akb.netz.yml
View File

@ -1,3 +1,24 @@
---
ansible_python_interpreter: /usr/bin/python3
# ---
# vars used by roles/common/tasks/basic.yml
# ---
set_default_limit_nofile: true
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_max_auth_tries: 6
sshd_permit_root_login: !!str "yes"
sshd_password_authentication: !!str "yes"
sshd_use_pam: !!str "no"
sshd_print_motd: !!str "yes"

37
host_vars/pcbuero1.flr.netz.yml
View File

@ -1,37 +0,0 @@
---
# ---
# NFS
# ---
# ---
# Samba / NIS
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
sudoers_file_cmnd_aliases:
- name: MOUNT
entry: '/bin/mount,/bin/umount,/usr/bin/smb4k_mount'

18
roles/common/files/etc/samba/users.map Normal file
View File

@ -0,0 +1,18 @@
# ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.
root = admin administrator

7
roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf
View File

@ -1,3 +1,10 @@
# ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
[Unit]
DefaultDependencies=no
Wants=rpcbind.target

7
roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
View File

@ -1,3 +1,10 @@
# ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
[Service]
IPAddressAllow=192.168.0.0/16

5
roles/common/handlers/main.yml
View File

@ -1,5 +1,10 @@
---
- name: Restart ssh
service:
name: ssh
state: restarted
- name: Renew nis databases
shell: make -C /var/yp
when:

27
roles/common/tasks/basic.yml
View File

@ -21,6 +21,8 @@
owner: root
group: root
state: link
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- symlink-sh
@ -43,3 +45,28 @@
- etc_systemd_system_conf.stat.exists == true
tags:
- systemd-nofiles
- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
stat:
path: /etc/security/limits.conf.ORIG
register: etc_security_limits_conf_ORIG
tags:
- limits-conf
- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf'
command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG
when: etc_security_limits_conf_ORIG.stat.exists == False
tags:
- limits-conf
- name: (basic.yml) Create new sshd_config from template limits.conf.j2
template:
src: etc/security/limits.conf.j2
dest: /etc/security/limits.conf
owner: root
group: root
mode: 0644
tags:
- limits-conf

7
roles/common/tasks/main.yml
View File

@ -10,6 +10,13 @@
- basic
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside apt.yml
#
# apt-update

4
roles/common/tasks/nis-install-server.yml
View File

@ -134,13 +134,13 @@
- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists
file:
path: '{{ nis_base_home}}'
path: '{{ nis_base_home }}'
owner: root
group: root
mode: '0755'
state: directory
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server

16
roles/common/tasks/samba-install.yml
View File

@ -35,6 +35,22 @@
- samba-server
- name: (samba-install.yml) Ensure file /etc/samba/users.map exists
copy:
src: "{{ role_path + '/files//etc/samba/users.map' }}"
dest: /etc/samba/users.map
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
- name: (samba-install.yml) /etc/samba/smb.conf
template:
dest: /etc/samba/smb.conf

28
roles/common/tasks/sshd.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
stat:
path: /etc/ssh/sshd_config.ORIG
register: etc_sshd_sshd_config_ORIG
tags:
- sshd-config
- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
when: etc_sshd_sshd_config_ORIG.stat.exists == False
tags:
- sshd-config
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T'
#backup: yes
notify: "Restart ssh"
tags:
- sshd-config

1305
roles/common/templates/etc/samba/smb.conf.j2
View File

File diff suppressed because it is too large Load Diff

1048
roles/common/templates/etc/samba/smb.conf.j2.BAK Normal file
View File

File diff suppressed because it is too large Load Diff

62
roles/common/templates/etc/security/limits.conf.j2 Normal file
View File

@ -0,0 +1,62 @@
# {{ ansible_managed }}
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, <domain> must be
# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
* - nofile 1048576
root - nofile 1048576
# End of file

349
roles/common/templates/etc/ssh/sshd_config.j2 Normal file
View File

@ -0,0 +1,349 @@
# {{ ansible_managed }}
#-----------------------------
# Daemon
#-----------------------------
# What ports, IPs and protocols we listen for
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
#
# ListenAddress host|IPv4_addr|IPv6_addr
# ListenAddress host|IPv4_addr:port
# ListenAddress [host|IPv6_addr]:port
#
# If port is not specified, sshd will listen on the address and all Port options specified. The default
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
#
# ListenAddress ::
# ListenAddress 0.0.0.0
# ListenAddress 159.69.72.24
# ListenAddress 2a01:4f8:231:171f::2
#
{% if (sshd_listen_address is defined) and sshd_listen_address %}
{% for item in sshd_listen_address %}
ListenAddress {{ item }}
{% endfor %}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are 1 , `2' and 1,2.
# The default is 2.
Protocol 2
# HostKeys for protocol version 2
{% for item in sshd_host_keys %}
HostKey {{ item }}
{% endfor %}
# Lifetime and size of ephemeral version 1 server key
#
# Note:
# Deprecated option KeyRegenerationInterval
# Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups {{ sshd_max_startups }}
# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries {{ sshd_max_auth_tries }}
# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions {{ sshd_max_sessions }}
#-----------------------------
# Authentication
#-----------------------------
# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
#
# Note: (Release 7.5)
# Deprecated option UsePrivilegeSeparation
# Privilege separation has been on by default for almost 15 years
# sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation sandbox
{% endif %}
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120
# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
# Deprecated option RSAAuthentication
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
# Specifies the available KEX (Key Exchange) algorithms.
# The default is:
## curve25519-sha256@libssh.org,
## ecdh-sha2-nistp256,
## ecdh-sha2-nistp384,
## ecdh-sha2-nistp521,
## diffie-hellman-group-exchange-sha256,
## diffie-hellman-group14-sha1.
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
{% endif %}
# Specifies the ciphers allowed for protocol version 2.
# The default is:
## aes128-ctr,
## aes192-ctr,
## aes256-ctr,
## aes128-gcm@openssh.com,
## aes256-gcm@openssh.com,
## chacha20-poly1305@openssh.com.
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}
# Specifies the available MAC (message authentication code) algorithms.
# The default is:
## umac-64-etm@openssh.com,
## umac-128-etm@openssh.com,
## hmac-sha2-256-etm@openssh.com,
## hmac-sha2-512-etm@openssh.com,
## umac-64@openssh.com,
## umac-128@openssh.com,
## hmac-sha2-256,
## hmac-sha2-512.
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
{% endif %}
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is “yes”.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes