update..

2022-02-21 17:36:20 +01:00
parent b0346a0401
commit 6649efc76e
4 changed files with 329 additions and 5 deletions
--- a/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
@@ -0,0 +1,315 @@
+# {{ ansible_managed }}
+
+#-----------------------------
+# Daemon
+#-----------------------------
+
+# What ports, IPs and protocols we listen for
+{% for item in sshd_ports %}
+Port {{ item }}
+{% endfor %}
+
+# Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
+# 
+#    ListenAddress host|IPv4_addr|IPv6_addr
+#    ListenAddress host|IPv4_addr:port
+#    ListenAddress [host|IPv6_addr]:port
+# 
+# If port is not specified, sshd will listen on the address and all Port options specified.  The default
+# is to listen on all local addresses.  Multiple ListenAddress options are permitted.
+#
+#    ListenAddress ::
+#    ListenAddress 0.0.0.0
+#    ListenAddress 159.69.72.24
+#    ListenAddress 2a01:4f8:231:171f::2
+#
+{% if (sshd_listen_address is defined) and sshd_listen_address %}
+{% for item in sshd_listen_address %}
+ListenAddress {{ item }}
+{% endfor %}
+{% endif %}
+
+# Specifies the protocol versions sshd(8) supports.
+# The possible values are ‘1’ , `2' and ‘1,2’.
+# The default is ‘2’.
+Protocol 2
+
+# HostKeys for protocol version 2
+{% for item in sshd_host_keys %}
+HostKey {{ item }}
+{% endfor %}
+
+# Lifetime and size of ephemeral version 1 server key
+#
+# Note:
+#    Deprecated option KeyRegenerationInterval
+#    Deprecated option ServerKeyBits
+#
+#KeyRegenerationInterval 3600
+#ServerKeyBits 768
+
+# Specifies the maximum number of concurrent unauthenticated connections
+# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
+# separated values.
+# The default is 10.
+#MaxStartups 10:30:100
+#MaxStartups 3
+MaxStartups {{ sshd_max_startups }}
+
+# Specifies the maximum number of authentication attempts permitted per
+# connection.
+# The default is 6.
+MaxAuthTries {{ sshd_max_auth_tries }}
+
+# Specifies the maximum number of open sessions permitted per network
+# connection.
+# The default is 10.
+MaxSessions {{ sshd_max_sessions }}
+
+
+#-----------------------------
+# Authentication
+#-----------------------------
+
+# Specifies whether sshd(8) separates privileges by creating an unprivileged
+# child process to deal with incoming network traffic.
+# The default is "yes" (for security).
+{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
+#
+# Note: (Release 7.5)
+#    Deprecated option UsePrivilegeSeparation
+#    Privilege separation has been on by default for almost 15 years
+#    sandboxing has been on by default for almost the last five
+#
+#UsePrivilegeSeparation sandbox
+{% else %}
+UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
+{% endif %}
+
+# The server disconnects after this time if the user has not
+# successfully logged in.
+# The default is 120 seconds.
+LoginGraceTime 120
+
+# Specifies whether root can log in using ssh(1).
+# The default is "yes".
+# Possible values: yes, no, prohibit-password (or teh older one: without-password)
+#PermitRootLogin yes
+PermitRootLogin {{ sshd_permit_root_login }}
+
+# Specifies whether sshd(8) should check file modes and ownership of the 
+# user's files and home directory before accepting login.  This is normally 
+# desirable because novices sometimes accidentally leave their directory or 
+# files world-writable. Note that this does not apply to ChrootDirectory, 
+# whose permissions and ownership are checked unconditionally.  
+# The default is “yes”.
+StrictModes yes
+
+# Specifies whether pure RSA authentication is allowed. This option 
+# applies to protocol version 1 only.
+# The default is “yes”.
+#
+# Note:
+#    Deprecated option RSAAuthentication
+#
+#RSAAuthentication yes
+
+# Specifies whether public key authentication is allowed. Note that this 
+# option applies to protocol version 2 only.
+# The default is “yes”.
+PubkeyAuthentication {{ sshd_pubkey_authentication }}
+
+# Specifies the file that contains the public keys that can be used for 
+# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
+# FORMAT section of sshd(8).
+# AuthorizedKeysFile may contain tokens of the form %T which are substituted
+# during connection setup. The following tokens are defined: %% is replaced 
+# by a literal '%', %h is replaced by the home directory of the user being 
+# authenticated, and %u is replaced by the username of that user. After 
+# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
+# to the user's home directory. Multiple files may be listed, separated by 
+# whitespace.
+# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+AuthorizedKeysFile {{ sshd_authorized_keys_file }}
+
+# Specifies whether password authentication is allowed.
+# Change to no to disable tunnelled clear text passwords
+# The default is "yes".
+#PasswordAuthentication yes
+PasswordAuthentication {{ sshd_password_authentication }}
+
+# When password authentication is allowed, it specifies whether the 
+# server allows login to accounts with empty password strings.
+# The default is “no”.
+PermitEmptyPasswords no
+
+# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
+# The default is “yes”.
+ChallengeResponseAuthentication no
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+#
+# Note:
+#    Deprecated option RhostsRSAAuthentication
+#
+#RhostsRSAAuthentication no
+
+# similar for protocol version 2
+HostbasedAuthentication no
+
+# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
+# during RhostsRSAAuthentication or HostbasedAuthentication. 
+# The default is “no”.
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# If specified, login is allowed only for user names that match one of
+# the patterns.
+# The allow/deny directives are processed in the following order: DenyUsers, 
+# AllowUsers, DenyGroups, and finally AllowGroups.
+# By default, login is allowed for all users.
+{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
+AllowUsers {{ fact_sshd_allowed_users }}
+{% else %}
+#AllowUsers back chris sysadm cityslang christoph
+{% endif %}
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM {{ sshd_use_pam }}
+
+# Specifies whether login(1) is used for interactive login sessions.
+# Note that login(1) is never used for remote command execution. 
+# Note also, that if this is enabled, X11Forwarding will be disabled 
+# because login(1) does not know how to handle xauth(1) cookies. If
+# UsePrivilegeSeparation is specified, it will be disabled after 
+# authentication.
+# The default is “no”.
+#UseLogin no
+
+
+#-----------------------------
+# Cryptography
+#-----------------------------
+
+# use default values for
+#   - KexAlgorithms
+#   - Ciphers
+#   - MACs
+
+#-----------------------------
+# Logging
+#-----------------------------
+
+# Gives the facility code that is used when logging messages from sshd(8).  
+# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
+# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
+# The default is AUTH.
+SyslogFacility AUTH
+
+# Gives the verbosity level that is used when logging messages from
+# sshd(8).
+# The default is INFO.
+LogLevel INFO
+
+
+#-----------------------------
+# Behavior
+#-----------------------------
+
+# Specifies whether the distribution-specified extra version suffix is included
+# during initial protocol handshake.
+# The default is "yes".
+DebianBanner no
+
+# The contents of the specified file are sent to the remote user before
+# authentication is allowed.
+# By default, no banner is displayed.
+#Banner /etc/issue.net
+
+# Specifies whether sshd(8) should print /etc/motd when a user logs in 
+# interactively. (On some systems it is also printed by the shell, 
+# /etc/profile, or equivalent.)  
+# The default is “yes”.
+PrintMotd {{ sshd_print_motd }}
+
+# Specifies what environment variables sent by the client will be copied
+# into the session's environ(7).
+# The default is not to accept any environment variables.
+AcceptEnv LANG LC_*
+
+# Configures an external subsystem (e.g. file transfer daemon).
+# By default no subsystems are defined.
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Specifies whether sshd(8) should look up the remote host name and check 
+# that the resolved host name for the remote IP address maps back to the 
+# very same IP address.
+# The default is “yes”.
+UseDNS {{ sshd_use_dns }}
+
+# Specifies whether X11 forwarding is permitted. The argument must be 
+# “yes” or “no”. See sshd_config(5) for further expalnation
+# The default is “no”.
+#X11Forwarding yes
+
+# Specifies the first display number available for sshd(8)'s X11 
+# forwarding. This prevents sshd from interfering with real X11 servers.
+# The default is 10.
+X11DisplayOffset 10
+
+# Specifies whether the system should send TCP keepalive messages to the 
+# other side. If they are sent, death of the connection or crash of one 
+# of the machines will be properly noticed.  However, this means
+# that connections will die if the route is down temporarily, and some 
+# people find it annoying. On the other hand, if TCP keepalives are not 
+# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# and consuming server resources.
+#
+# The default is “yes” (to send TCP keepalive messages), and the server 
+# will notice if the network goes down or the client host crashes. This 
+# avoids infinitely hanging sessions.
+TCPKeepAlive yes
+
+#Specifies whether sshd(8) should print the date and time of the last 
+# user login when a user logs in interactively.
+# The default is “yes”.
+PrintLastLog yes
+
+# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
+# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
+# other remote hosts from connecting to forwarded ports.
+#
+# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
+# bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be
+# no to force remote port forwardings to be available to the local host only, yes to force
+# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
+# client to select the address to which the forwarding is bound.  The default is no.
+#GatewayPorts {{ sshd_gateway_ports }}
+
+
+#-----------------------------
+# Kerberos options
+#-----------------------------
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+
+#-----------------------------
+# GSSAPI options
+#-----------------------------
+
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes