ansible/mbr-bln
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add basic.yml apt.yml and sshd.yaml

Browse Source
This commit is contained in:
Christoph 2020-02-29 04:11:53 +01:00
parent 9e0d4fe374
commit bbcd57cd5b
9 changed files with 959 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

313
group_vars/all/main.yml
View File

@ -816,6 +816,319 @@ locales:
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 22
sshd_listen_address:
- '::'
- '0.0.0.0'
sshd_host_keys:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
sshd_permit_root_login: !!str "no"
sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
sshd_pubkey_authentication: !!str "yes"
sshd_password_authentication: !!str "no"
sshd_use_pam: !!str "yes"
sshd_print_motd: !!str "no"
# sshd_kexalgorithms
#
# Example:
# sshd_kexalgorithms:
# - curve25519-sha256@libssh.org
# - diffie-hellman-group-exchange-sha256
# - diffie-hellman-group14-sha1
#
sshd_kexalgorithms: {}
# sshd_kexalgorithms
#
# Example:
# sshd_ciphers:
# - chacha20-poly1305@openssh.com
# - aes256-gcm@openssh.com
# - aes256-ctr
sshd_ciphers: {}
sshd_use_dns: !!str "no"
sshd_allowed_users: {}
# ---
# vars used by apt.yml
# ---
apt_manage_sources_list: true
apt_src_enable: true
apt_backports_enable: true
apt_debian_mirror: http://ftp.de.debian.org/debian/
apt_debian_contrib_nonfree_enable: true
apt_update_cache_valid_time: 3600
apt_upgrade: true
apt_update: true
apt_clean: true
apt_autoremove: true
apt_dpkg_configure: true
apt_upgrade_type: dist
apt_upgrade_dpkg_options:
- force-confdef
- force-confold
apt_initial_install_stretch:
- apt-transport-https
- dbus
- openssh-server
- rssh
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- exuberant-ctags
- mime-support
- file
- coreutils
- moreutils
- less
- realpath
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.24
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libreadline5
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man-db
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
apt_initial_install_buster:
- apt-transport-https
- dbus
- openssh-server
- rush
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- ctags
- mime-support
- file
- coreutils
- moreutils
- less
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.28
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libio-compress-perl
- libreadline5
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
apt_install: {}
apt_install_state: latest
apt_remove:
- apt-transport-tor
- tor
- tor-geoipdb
- torsocks
apt_remove_purge: false
microcode_package: intel-microcode
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---

18
host_vars/file-mbr.mbr-bln.netz.yml
View File

@ -1,3 +1,21 @@
---
ansible_python_interpreter: /usr/bin/python3
# ---
# vars used by roles/common/tasks/basic.yml
# ---
set_default_limit_nofile: true
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "yes"
sshd_use_pam: !!str "no"
sshd_print_motd: !!str "yes"

20
roles/common/handlers/main.yml
View File

@ -1,5 +1,25 @@
---
- name: Update timezone
command: dpkg-reconfigure --frontend noninteractive tzdata
#- name: Restart ssh
# shell: sleep 3; systemctl restart sshd
# async: 1
# poll: 0
# Does NOT Work
#
# Error was:
# Start request repeated too quickly.
#
# See also: https://github.com/ansible/ansible-modules-core/issues/1533
#
- name: Restart ssh
service:
name: ssh
state: restarted
- name: Renew nis databases
shell: make -C /var/yp
when:

130
roles/common/tasks/apt.yml Normal file
View File

@ -0,0 +1,130 @@
---
- name: (apt.yml) update configuration file - /etc/apt/sources.list
template:
src: "etc/apt/sources.list.{{ ansible_distribution }}.j2"
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
register: apt_config_updated
when: apt_manage_sources_list|bool
tags:
- apt-configuration
- name: (apt.yml) apt update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
tags:
- apt-update
- apt-upgrade
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- apt-upgrade
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) Initial install debian packages (stretch)
apt:
name: "{{ apt_initial_install_stretch }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
tags:
- apt-initial-install
- name: (apt.yml) Initial install debian packages (buster)
apt:
name: "{{ apt_initial_install_buster }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- apt-initial-install
- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch)
apt:
name: "{{ microcode_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster)
apt:
name: "{{ microcode_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Remove unwanted packages
apt:
name: "{{ apt_remove }}"
state: absent
purge: "{{ apt_remove_purge }}"
tags:
- apt-remove
- name: (apt.yml) autoremove
apt:
autoremove: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_autoremove|bool
tags:
- apt-autoremove
- apt-initial-install
- apt-microcode
- name: (apt.yml) clean
command: apt-get -y clean
args:
warn: false
changed_when: false
when: apt_clean|bool
tags:
- apt-clean
- apt-initial-install
- apt-microcode

45
roles/common/tasks/basic.yml Normal file
View File

@ -0,0 +1,45 @@
---
- name: (basic.yml) Ensure timezone is is correct
timezone: name={{ time_zone }}
tags:
- timezone
- name: (basic.yml) Ensure locales are present
locale_gen:
name: "{{ item }}"
state: present
with_items: "{{ locales }}"
tags:
- locales
- name: (basic.yml) Create a symbolic link /bin/sh -> bash
file:
src: bash
dest: /bin/sh
owner: root
group: root
state: link
tags:
- symlink-sh
- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
stat:
path: /etc/systemd/system
register: etc_systemd_system_conf
when:
- set_default_limit_nofile|bool == true
- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
lineinfile:
dest: /etc/systemd/system.conf
state: present
regexp: '^DefaultLimitNOFILE'
line: 'DefaultLimitNOFILE=1048576'
insertafter: '^#DefaultLimitNOFILE'
when:
- set_default_limit_nofile|bool == true
- etc_systemd_system_conf.stat.exists == true
tags:
- systemd-nofiles

28
roles/common/tasks/main.yml
View File

@ -1,6 +1,34 @@
---
# tags supported inside basic.yml
#
# timezone
# locales
# systemd-nofiles
- import_tasks: basic.yml
tags:
- basic
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside apt.yml
#
# apt-update
# apt-upgrade
# apt-dpkg-configure
# apt-initial-install
# apt-microcode
# apt-remove
# apt-autoremove
# apt-clean
- import_tasks: apt.yml
tags: apt
# tags supported inside nfs.yml:
#
# nfs-server

28
roles/common/tasks/sshd.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
stat:
path: /etc/ssh/sshd_config.ORIG
register: etc_sshd_sshd_config_ORIG
tags:
- sshd-config
- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
when: etc_sshd_sshd_config_ORIG.stat.exists == False
tags:
- sshd-config
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T'
#backup: yes
notify: "Restart ssh"
tags:
- sshd-config

28
roles/common/templates/etc/apt/sources.list.Debian.j2 Normal file
View File

@ -0,0 +1,28 @@
# {{ ansible_managed }}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
# Contrib packages contain DFSG-compliant software,
# but have dependencies not in main (possibly packaged for Debian in non-free).
# Non-free contains software that does not comply with the DFSG.
{% if apt_debian_contrib_nonfree_enable %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
{% endif %}
# # N.B. software from this repository may not have been tested as
# # extensively as that contained in the main release, although it includes
# # newer versions of some applications which may provide useful features.
{% if apt_backports_enable %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{% endif %}

349
roles/common/templates/etc/ssh/sshd_config.j2 Normal file
View File

@ -0,0 +1,349 @@
# {{ ansible_managed }}
#-----------------------------
# Daemon
#-----------------------------
# What ports, IPs and protocols we listen for
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
#
# ListenAddress host|IPv4_addr|IPv6_addr
# ListenAddress host|IPv4_addr:port
# ListenAddress [host|IPv6_addr]:port
#
# If port is not specified, sshd will listen on the address and all Port options specified. The default
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
#
# ListenAddress ::
# ListenAddress 0.0.0.0
# ListenAddress 159.69.72.24
# ListenAddress 2a01:4f8:231:171f::2
#
{% if (sshd_listen_address is defined) and sshd_listen_address %}
{% for item in sshd_listen_address %}
ListenAddress {{ item }}
{% endfor %}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are 1 , `2' and 1,2.
# The default is 2.
Protocol 2
# HostKeys for protocol version 2
{% for item in sshd_host_keys %}
HostKey {{ item }}
{% endfor %}
# Lifetime and size of ephemeral version 1 server key
#
# Note:
# Deprecated option KeyRegenerationInterval
# Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups 10:30:100
# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries 3
# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions 10
#-----------------------------
# Authentication
#-----------------------------
# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
#
# Note: (Release 7.5)
# Deprecated option UsePrivilegeSeparation
# Privilege separation has been on by default for almost 15 years
# sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation sandbox
{% endif %}
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120
# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
# Deprecated option RSAAuthentication
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
# Specifies the available KEX (Key Exchange) algorithms.
# The default is:
## curve25519-sha256@libssh.org,
## ecdh-sha2-nistp256,
## ecdh-sha2-nistp384,
## ecdh-sha2-nistp521,
## diffie-hellman-group-exchange-sha256,
## diffie-hellman-group14-sha1.
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
{% endif %}
# Specifies the ciphers allowed for protocol version 2.
# The default is:
## aes128-ctr,
## aes192-ctr,
## aes256-ctr,
## aes128-gcm@openssh.com,
## aes256-gcm@openssh.com,
## chacha20-poly1305@openssh.com.
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}
# Specifies the available MAC (message authentication code) algorithms.
# The default is:
## umac-64-etm@openssh.com,
## umac-128-etm@openssh.com,
## hmac-sha2-256-etm@openssh.com,
## hmac-sha2-512-etm@openssh.com,
## umac-64@openssh.com,
## umac-128@openssh.com,
## hmac-sha2-256,
## hmac-sha2-512.
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
{% endif %}
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is “yes”.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes