diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 6fa505d..1a72095 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -816,6 +816,319 @@ locales: set_default_limit_nofile: false +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_ports: + - 22 + +sshd_listen_address: + - '::' + - '0.0.0.0' + +sshd_host_keys: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key + +sshd_permit_root_login: !!str "no" + +sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2" + +sshd_pubkey_authentication: !!str "yes" + +sshd_password_authentication: !!str "no" + +sshd_use_pam: !!str "yes" + +sshd_print_motd: !!str "no" + +# sshd_kexalgorithms +# +# Example: +# sshd_kexalgorithms: +# - curve25519-sha256@libssh.org +# - diffie-hellman-group-exchange-sha256 +# - diffie-hellman-group14-sha1 +# +sshd_kexalgorithms: {} + +# sshd_kexalgorithms +# +# Example: +# sshd_ciphers: +# - chacha20-poly1305@openssh.com +# - aes256-gcm@openssh.com +# - aes256-ctr +sshd_ciphers: {} + +sshd_use_dns: !!str "no" + +sshd_allowed_users: {} + + +# --- +# vars used by apt.yml +# --- + +apt_manage_sources_list: true + +apt_src_enable: true +apt_backports_enable: true + +apt_debian_mirror: http://ftp.de.debian.org/debian/ +apt_debian_contrib_nonfree_enable: true + +apt_update_cache_valid_time: 3600 + +apt_upgrade: true +apt_update: true + +apt_clean: true +apt_autoremove: true + +apt_dpkg_configure: true +apt_upgrade_type: dist +apt_upgrade_dpkg_options: + - force-confdef + - force-confold +apt_initial_install_stretch: + - apt-transport-https + - dbus + - openssh-server + - rssh + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - exuberant-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - realpath + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.24 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man-db + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + +apt_initial_install_buster: + - apt-transport-https + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.28 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + +apt_install: {} +apt_install_state: latest + +apt_remove: + - apt-transport-tor + - tor + - tor-geoipdb + - torsocks + +apt_remove_purge: false + +microcode_package: intel-microcode + + # --- # vars used by roles/common/tasks/sudoers.yml # --- diff --git a/host_vars/file-mbr.mbr-bln.netz.yml b/host_vars/file-mbr.mbr-bln.netz.yml index 165337e..15e708a 100644 --- a/host_vars/file-mbr.mbr-bln.netz.yml +++ b/host_vars/file-mbr.mbr-bln.netz.yml @@ -1,3 +1,21 @@ --- ansible_python_interpreter: /usr/bin/python3 + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +set_default_limit_nofile: true + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "yes" + +sshd_use_pam: !!str "no" + +sshd_print_motd: !!str "yes" + diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 6f0d681..e41b315 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,5 +1,25 @@ --- +- name: Update timezone + command: dpkg-reconfigure --frontend noninteractive tzdata + +#- name: Restart ssh +# shell: sleep 3; systemctl restart sshd +# async: 1 +# poll: 0 + +# Does NOT Work +# +# Error was: +# Start request repeated too quickly. +# +# See also: https://github.com/ansible/ansible-modules-core/issues/1533 +# +- name: Restart ssh + service: + name: ssh + state: restarted + - name: Renew nis databases shell: make -C /var/yp when: diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml new file mode 100644 index 0000000..925b8db --- /dev/null +++ b/roles/common/tasks/apt.yml @@ -0,0 +1,130 @@ +--- + +- name: (apt.yml) update configuration file - /etc/apt/sources.list + template: + src: "etc/apt/sources.list.{{ ansible_distribution }}.j2" + dest: /etc/apt/sources.list + owner: root + group: root + mode: 0644 + register: apt_config_updated + when: apt_manage_sources_list|bool + tags: + - apt-configuration + +- name: (apt.yml) apt update + apt: + update_cache: true + cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" + when: apt_update|bool + tags: + - apt-update + - apt-upgrade + - apt-dpkg-configure + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) dpkg --configure + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - apt-dpkg-configure + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - apt-upgrade + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) Initial install debian packages (stretch) + apt: + name: "{{ apt_initial_install_stretch }}" + state: "{{ apt_install_state }}" + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "9" + tags: + - apt-initial-install + +- name: (apt.yml) Initial install debian packages (buster) + apt: + name: "{{ apt_initial_install_buster }}" + state: "{{ apt_install_state }}" + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "10" + tags: + - apt-initial-install + +- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch) + apt: + name: "{{ microcode_package }}" + state: present + default_release: "{{ ansible_distribution_release }}-backports" + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "9" + - ansible_facts['processor']|string is search("Intel") + tags: + - apt-initial-install + - apt-microcode + +- name: (apt.yml) Install CPU microcode (debian buster) + apt: + name: "{{ microcode_package }}" + state: present + default_release: "{{ ansible_distribution_release }}" + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "10" + - ansible_facts['processor']|string is search("Intel") + tags: + - apt-initial-install + - apt-microcode + +- name: (apt.yml) Remove unwanted packages + apt: + name: "{{ apt_remove }}" + state: absent + purge: "{{ apt_remove_purge }}" + tags: + - apt-remove + +- name: (apt.yml) autoremove + apt: + autoremove: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_autoremove|bool + tags: + - apt-autoremove + - apt-initial-install + - apt-microcode + +- name: (apt.yml) clean + command: apt-get -y clean + args: + warn: false + changed_when: false + when: apt_clean|bool + tags: + - apt-clean + - apt-initial-install + - apt-microcode diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml new file mode 100644 index 0000000..f3433fd --- /dev/null +++ b/roles/common/tasks/basic.yml @@ -0,0 +1,45 @@ +--- + +- name: (basic.yml) Ensure timezone is is correct + timezone: name={{ time_zone }} + tags: + - timezone + + +- name: (basic.yml) Ensure locales are present + locale_gen: + name: "{{ item }}" + state: present + with_items: "{{ locales }}" + tags: + - locales + +- name: (basic.yml) Create a symbolic link /bin/sh -> bash + file: + src: bash + dest: /bin/sh + owner: root + group: root + state: link + tags: + - symlink-sh + +- name: (basic.yml) Check file '/etc/systemd/system.conf' exists + stat: + path: /etc/systemd/system + register: etc_systemd_system_conf + when: + - set_default_limit_nofile|bool == true + +- name: (basic.yml) Change DefaultLimitNOFILE to 1048576 + lineinfile: + dest: /etc/systemd/system.conf + state: present + regexp: '^DefaultLimitNOFILE' + line: 'DefaultLimitNOFILE=1048576' + insertafter: '^#DefaultLimitNOFILE' + when: + - set_default_limit_nofile|bool == true + - etc_systemd_system_conf.stat.exists == true + tags: + - systemd-nofiles diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a345546..a1e7819 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,6 +1,34 @@ --- +# tags supported inside basic.yml +# +# timezone +# locales +# systemd-nofiles +- import_tasks: basic.yml + tags: + - basic + +# tags supported inside sshd.yml +# +# sshd-config +- import_tasks: sshd.yml + tags: sshd + +# tags supported inside apt.yml +# +# apt-update +# apt-upgrade +# apt-dpkg-configure +# apt-initial-install +# apt-microcode +# apt-remove +# apt-autoremove +# apt-clean +- import_tasks: apt.yml + tags: apt + # tags supported inside nfs.yml: # # nfs-server diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml new file mode 100644 index 0000000..3ab1b69 --- /dev/null +++ b/roles/common/tasks/sshd.yml @@ -0,0 +1,28 @@ +--- + +- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists + stat: + path: /etc/ssh/sshd_config.ORIG + register: etc_sshd_sshd_config_ORIG + tags: + - sshd-config + +- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config' + command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG + when: etc_sshd_sshd_config_ORIG.stat.exists == False + tags: + - sshd-config + +- name: (sshd.yml) Create new sshd_config from template sshd_config.j2 + template: + src: etc/ssh/sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 + validate: 'sshd -f %s -T' + #backup: yes + notify: "Restart ssh" + tags: + - sshd-config + diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 new file mode 100644 index 0000000..8e79f45 --- /dev/null +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -0,0 +1,28 @@ +# {{ ansible_managed }} + +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main + +deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main +{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main + +# {{ ansible_lsb.codename }}-updates, previously known as 'volatile' +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main + +# Contrib packages contain DFSG-compliant software, +# but have dependencies not in main (possibly packaged for Debian in non-free). +# Non-free contains software that does not comply with the DFSG. +{% if apt_debian_contrib_nonfree_enable %} +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free +{% endif %} + +# # N.B. software from this repository may not have been tested as +# # extensively as that contained in the main release, although it includes +# # newer versions of some applications which may provide useful features. +{% if apt_backports_enable %} +deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free +{% endif %} + diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 new file mode 100644 index 0000000..bf36834 --- /dev/null +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -0,0 +1,349 @@ +# {{ ansible_managed }} + +#----------------------------- +# Daemon +#----------------------------- + +# What ports, IPs and protocols we listen for +{% for item in sshd_ports %} +Port {{ item }} +{% endfor %} + +# Specifies the local addresses sshd(8) should listen on. The following forms may be used: +# +# ListenAddress host|IPv4_addr|IPv6_addr +# ListenAddress host|IPv4_addr:port +# ListenAddress [host|IPv6_addr]:port +# +# If port is not specified, sshd will listen on the address and all Port options specified. The default +# is to listen on all local addresses. Multiple ListenAddress options are permitted. +# +# ListenAddress :: +# ListenAddress 0.0.0.0 +# ListenAddress 159.69.72.24 +# ListenAddress 2a01:4f8:231:171f::2 +# +{% if (sshd_listen_address is defined) and sshd_listen_address %} +{% for item in sshd_listen_address %} +ListenAddress {{ item }} +{% endfor %} +{% endif %} + +# Specifies the protocol versions sshd(8) supports. +# The possible values are ‘1’ , `2' and ‘1,2’. +# The default is ‘2’. +Protocol 2 + +# HostKeys for protocol version 2 +{% for item in sshd_host_keys %} +HostKey {{ item }} +{% endfor %} + +# Lifetime and size of ephemeral version 1 server key +# +# Note: +# Deprecated option KeyRegenerationInterval +# Deprecated option ServerKeyBits +# +#KeyRegenerationInterval 3600 +#ServerKeyBits 768 + +# Specifies the maximum number of concurrent unauthenticated connections +# to the SSH daemon. See sshd_config(5) for specifiing the three colon +# separated values. +# The default is 10. +#MaxStartups 10:30:100 +#MaxStartups 3 +MaxStartups 10:30:100 + +# Specifies the maximum number of authentication attempts permitted per +# connection. +# The default is 6. +MaxAuthTries 3 + +# Specifies the maximum number of open sessions permitted per network +# connection. +# The default is 10. +MaxSessions 10 + + +#----------------------------- +# Authentication +#----------------------------- + +# Specifies whether sshd(8) separates privileges by creating an unprivileged +# child process to deal with incoming network traffic. +# The default is "yes" (for security). +{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %} +# +# Note: (Release 7.5) +# Deprecated option UsePrivilegeSeparation +# Privilege separation has been on by default for almost 15 years +# sandboxing has been on by default for almost the last five +# +#UsePrivilegeSeparation sandbox +{% else %} +UsePrivilegeSeparation sandbox +{% endif %} + +# The server disconnects after this time if the user has not +# successfully logged in. +# The default is 120 seconds. +LoginGraceTime 120 + +# Specifies whether root can log in using ssh(1). +# The default is "yes". +# Possible values: yes, no, prohibit-password (or teh older one: without-password) +#PermitRootLogin yes +PermitRootLogin {{ sshd_permit_root_login }} + +# Specifies whether sshd(8) should check file modes and ownership of the +# user's files and home directory before accepting login. This is normally +# desirable because novices sometimes accidentally leave their directory or +# files world-writable. Note that this does not apply to ChrootDirectory, +# whose permissions and ownership are checked unconditionally. +# The default is “yes”. +StrictModes yes + +# Specifies whether pure RSA authentication is allowed. This option +# applies to protocol version 1 only. +# The default is “yes”. +# +# Note: +# Deprecated option RSAAuthentication +# +#RSAAuthentication yes + +# Specifies whether public key authentication is allowed. Note that this +# option applies to protocol version 2 only. +# The default is “yes”. +PubkeyAuthentication {{ sshd_pubkey_authentication }} + +# Specifies the file that contains the public keys that can be used for +# user authentication. The format is described in the AUTHORIZED_KEYS FILE +# FORMAT section of sshd(8). +# AuthorizedKeysFile may contain tokens of the form %T which are substituted +# during connection setup. The following tokens are defined: %% is replaced +# by a literal '%', %h is replaced by the home directory of the user being +# authenticated, and %u is replaced by the username of that user. After +# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative +# to the user's home directory. Multiple files may be listed, separated by +# whitespace. +# The default is “.ssh/authorized_keys .ssh/authorized_keys2”. +#AuthorizedKeysFile %h/.ssh/authorized_keys +AuthorizedKeysFile {{ sshd_authorized_keys_file }} + +# Specifies whether password authentication is allowed. +# Change to no to disable tunnelled clear text passwords +# The default is "yes". +#PasswordAuthentication yes +PasswordAuthentication {{ sshd_password_authentication }} + +# When password authentication is allowed, it specifies whether the +# server allows login to accounts with empty password strings. +# The default is “no”. +PermitEmptyPasswords no + +# Specifies whether challenge-response authentication is allowed (e.g. via PAM). +# The default is “yes”. +ChallengeResponseAuthentication no + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +# +# Note: +# Deprecated option RhostsRSAAuthentication +# +#RhostsRSAAuthentication no + +# similar for protocol version 2 +HostbasedAuthentication no + +# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts +# during RhostsRSAAuthentication or HostbasedAuthentication. +# The default is “no”. +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# If specified, login is allowed only for user names that match one of +# the patterns. +# The allow/deny directives are processed in the following order: DenyUsers, +# AllowUsers, DenyGroups, and finally AllowGroups. +# By default, login is allowed for all users. +{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %} +AllowUsers {{ fact_sshd_allowed_users }} +{% else %} +#AllowUsers back chris sysadm cityslang christoph +{% endif %} + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# Specifies whether login(1) is used for interactive login sessions. +# Note that login(1) is never used for remote command execution. +# Note also, that if this is enabled, X11Forwarding will be disabled +# because login(1) does not know how to handle xauth(1) cookies. If +# UsePrivilegeSeparation is specified, it will be disabled after +# authentication. +# The default is “no”. +#UseLogin no + + +#----------------------------- +# Cryptography +#----------------------------- + +# Specifies the available KEX (Key Exchange) algorithms. +# The default is: +## curve25519-sha256@libssh.org, +## ecdh-sha2-nistp256, +## ecdh-sha2-nistp384, +## ecdh-sha2-nistp521, +## diffie-hellman-group-exchange-sha256, +## diffie-hellman-group14-sha1. +{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %} +KexAlgorithms {{ fact_sshd_kexalgorithms }} +{% else %} +#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +{% endif %} + +# Specifies the ciphers allowed for protocol version 2. +# The default is: +## aes128-ctr, +## aes192-ctr, +## aes256-ctr, +## aes128-gcm@openssh.com, +## aes256-gcm@openssh.com, +## chacha20-poly1305@openssh.com. +{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %} +Ciphers {{ fact_sshd_ciphers }} +{% else %} +#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +{% endif %} + +# Specifies the available MAC (message authentication code) algorithms. +# The default is: +## umac-64-etm@openssh.com, +## umac-128-etm@openssh.com, +## hmac-sha2-256-etm@openssh.com, +## hmac-sha2-512-etm@openssh.com, +## umac-64@openssh.com, +## umac-128@openssh.com, +## hmac-sha2-256, +## hmac-sha2-512. +{% if (fact_sshd_macs is defined) and fact_sshd_macs %} +MACs {{ fact_sshd_macs }} +{% else %} +#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +{% endif %} + + +#----------------------------- +# Logging +#----------------------------- + +# Gives the facility code that is used when logging messages from sshd(8). +# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +# The default is AUTH. +SyslogFacility AUTH + +# Gives the verbosity level that is used when logging messages from +# sshd(8). +# The default is INFO. +LogLevel INFO + + +#----------------------------- +# Behavior +#----------------------------- + +# Specifies whether the distribution-specified extra version suffix is included +# during initial protocol handshake. +# The default is "yes". +DebianBanner no + +# The contents of the specified file are sent to the remote user before +# authentication is allowed. +# By default, no banner is displayed. +#Banner /etc/issue.net + +# Specifies whether sshd(8) should print /etc/motd when a user logs in +# interactively. (On some systems it is also printed by the shell, +# /etc/profile, or equivalent.) +# The default is “yes”. +PrintMotd {{ sshd_print_motd }} + +# Specifies what environment variables sent by the client will be copied +# into the session's environ(7). +# The default is not to accept any environment variables. +AcceptEnv LANG LC_* + +# Configures an external subsystem (e.g. file transfer daemon). +# By default no subsystems are defined. +Subsystem sftp /usr/lib/openssh/sftp-server + +# Specifies whether sshd(8) should look up the remote host name and check +# that the resolved host name for the remote IP address maps back to the +# very same IP address. +# The default is “yes”. +UseDNS {{ sshd_use_dns }} + +# Specifies whether X11 forwarding is permitted. The argument must be +# “yes” or “no”. See sshd_config(5) for further expalnation +# The default is “no”. +#X11Forwarding yes + +# Specifies the first display number available for sshd(8)'s X11 +# forwarding. This prevents sshd from interfering with real X11 servers. +# The default is 10. +X11DisplayOffset 10 + +# Specifies whether the system should send TCP keepalive messages to the +# other side. If they are sent, death of the connection or crash of one +# of the machines will be properly noticed. However, this means +# that connections will die if the route is down temporarily, and some +# people find it annoying. On the other hand, if TCP keepalives are not +# sent, sessions may hang indefinitely on the server, leaving “ghost” users +# and consuming server resources. +# +# The default is “yes” (to send TCP keepalive messages), and the server +# will notice if the network goes down or the client host crashes. This +# avoids infinitely hanging sessions. +TCPKeepAlive yes + +#Specifies whether sshd(8) should print the date and time of the last +# user login when a user logs in interactively. +# The default is “yes”. +PrintLastLog yes + + +#----------------------------- +# Kerberos options +#----------------------------- +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + + +#----------------------------- +# GSSAPI options +#----------------------------- + +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + + + + +