update--
This commit is contained in:
@ -144,9 +144,15 @@ PasswordAuthentication {{ sshd_password_authentication }}
|
||||
# The default is “no”.
|
||||
PermitEmptyPasswords no
|
||||
|
||||
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
KbdInteractiveAuthentication no
|
||||
{% else %}
|
||||
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
|
||||
# The default is “yes”.
|
||||
ChallengeResponseAuthentication no
|
||||
{% endif %}
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
@ -389,10 +395,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
{% endif %}
|
||||
|
||||
# Specifies whether sshd(8) should look up the remote host name and check
|
||||
# that the resolved host name for the remote IP address maps back to the
|
||||
# Specifies whether sshd(8) should look up the remote host name and check
|
||||
# that the resolved host name for the remote IP address maps back to the
|
||||
# very same IP address.
|
||||
# The default is “yes”.
|
||||
# The default is 'yes'.
|
||||
UseDNS {{ sshd_use_dns }}
|
||||
|
||||
# Specifies whether X11 forwarding is permitted. The argument must be
|
||||
@ -405,12 +411,12 @@ UseDNS {{ sshd_use_dns }}
|
||||
# The default is 10.
|
||||
X11DisplayOffset 10
|
||||
|
||||
# Specifies whether the system should send TCP keepalive messages to the
|
||||
# other side. If they are sent, death of the connection or crash of one
|
||||
# Specifies whether the system should send TCP keepalive messages to the
|
||||
# other side. If they are sent, death of the connection or crash of one
|
||||
# of the machines will be properly noticed. However, this means
|
||||
# that connections will die if the route is down temporarily, and some
|
||||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||||
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
|
||||
# that connections will die if the route is down temporarily, and some
|
||||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||||
# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
|
||||
# and consuming server resources.
|
||||
#
|
||||
# The default is “yes” (to send TCP keepalive messages), and the server
|
||||
@ -463,4 +469,36 @@ Match group sftp_users
|
||||
ChrootDirectory %h
|
||||
ForceCommand internal-sftp
|
||||
|
||||
Match all
|
||||
|
||||
{% endif -%}
|
||||
|
||||
{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %}
|
||||
|
||||
#-----------------------------
|
||||
# Match User for PasswordAuthentication
|
||||
#-----------------------------
|
||||
{% for item in sshd_pasword_auth_user %}
|
||||
|
||||
Match User {{ item }}
|
||||
PasswordAuthentication yes
|
||||
|
||||
Match all
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %}
|
||||
|
||||
#-----------------------------
|
||||
# Match IP Address for PasswordAuthentication
|
||||
#-----------------------------
|
||||
{% for item in sshd_pasword_auth_ip %}
|
||||
|
||||
Match Address {{ item }}
|
||||
PasswordAuthentication yes
|
||||
|
||||
Match all
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
Reference in New Issue
Block a user