update..
This commit is contained in:
@@ -1,8 +1,4 @@
|
||||
# *** ---------------------------------------------- ***
|
||||
# *** ***
|
||||
# {{ ansible_managed }}
|
||||
# *** ***
|
||||
# *** ---------------------------------------------- ***
|
||||
|
||||
#-----------------------------
|
||||
# Daemon
|
||||
@@ -56,18 +52,19 @@ HostKey {{ item }}
|
||||
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
|
||||
# separated values.
|
||||
# The default is 10.
|
||||
#MaxStartups 10:30:100
|
||||
#MaxStartups 3
|
||||
MaxStartups 10:30:100
|
||||
MaxStartups {{ sshd_max_startups }}
|
||||
|
||||
# Specifies the maximum number of authentication attempts permitted per
|
||||
# connection.
|
||||
# The default is 6.
|
||||
MaxAuthTries 3
|
||||
MaxAuthTries {{ sshd_max_auth_tries }}
|
||||
|
||||
# Specifies the maximum number of open sessions permitted per network
|
||||
# connection.
|
||||
# The default is 10.
|
||||
MaxSessions 10
|
||||
MaxSessions {{ sshd_max_sessions }}
|
||||
|
||||
|
||||
#-----------------------------
|
||||
@@ -218,7 +215,7 @@ UsePAM {{ sshd_use_pam }}
|
||||
# pended to the default set instead of replacing them. If the specified value begins with a ‘-’ charac‐
|
||||
# ter, then the specified methods (including wildcards) will be removed from the default set instead of
|
||||
# replacing them. The supported algorithms are:
|
||||
#
|
||||
#
|
||||
# curve25519-sha256
|
||||
# curve25519-sha256@libssh.org
|
||||
# diffie-hellman-group1-sha1
|
||||
@@ -231,15 +228,15 @@ UsePAM {{ sshd_use_pam }}
|
||||
# ecdh-sha2-nistp256
|
||||
# ecdh-sha2-nistp384
|
||||
# ecdh-sha2-nistp521
|
||||
#
|
||||
#
|
||||
# The default is:
|
||||
#
|
||||
#
|
||||
# curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
# diffie-hellman-group-exchange-sha256,
|
||||
# diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
# diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
#
|
||||
#
|
||||
# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
|
||||
#
|
||||
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
|
||||
@@ -254,9 +251,9 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }}
|
||||
# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
|
||||
# ing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including
|
||||
# wildcards) will be removed from the default set instead of replacing them.
|
||||
#
|
||||
#
|
||||
# The supported ciphers are:
|
||||
#
|
||||
#
|
||||
# 3des-cbc
|
||||
# aes128-cbc
|
||||
# aes192-cbc
|
||||
@@ -267,15 +264,15 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }}
|
||||
# aes128-gcm@openssh.com
|
||||
# aes256-gcm@openssh.com
|
||||
# chacha20-poly1305@openssh.com
|
||||
#
|
||||
#
|
||||
# The default is:
|
||||
#
|
||||
#
|
||||
# chacha20-poly1305@openssh.com,
|
||||
# aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
# aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
#
|
||||
#
|
||||
# The list of available ciphers may also be obtained using "ssh -Q cipher".
|
||||
#
|
||||
#
|
||||
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
|
||||
Ciphers {{ fact_sshd_ciphers }}
|
||||
{% else %}
|
||||
@@ -289,10 +286,10 @@ Ciphers {{ fact_sshd_ciphers }}
|
||||
# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
|
||||
# placing them. If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
|
||||
# cluding wildcards) will be removed from the default set instead of replacing them.
|
||||
#
|
||||
#
|
||||
# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are
|
||||
# considered safer and their use recommended. The supported MACs are:
|
||||
#
|
||||
#
|
||||
# hmac-md5
|
||||
# hmac-md5-96
|
||||
# hmac-sha1
|
||||
@@ -309,17 +306,17 @@ Ciphers {{ fact_sshd_ciphers }}
|
||||
# hmac-sha2-512-etm@openssh.com
|
||||
# umac-64-etm@openssh.com
|
||||
# umac-128-etm@openssh.com
|
||||
#
|
||||
#
|
||||
# The default is:
|
||||
#
|
||||
#
|
||||
# umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||
# hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||
# hmac-sha1-etm@openssh.com,
|
||||
# umac-64@openssh.com,umac-128@openssh.com,
|
||||
# hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
#
|
||||
#
|
||||
# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
|
||||
#
|
||||
#
|
||||
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
|
||||
MACs {{ fact_sshd_macs }}
|
||||
{% else %}
|
||||
@@ -329,7 +326,7 @@ MACs {{ fact_sshd_macs }}
|
||||
# HostKeyAlgorithms
|
||||
#
|
||||
# Specifies the host key algorithms that the server offers. The default for this option is:
|
||||
#
|
||||
#
|
||||
# ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
# ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
# ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
@@ -338,7 +335,7 @@ MACs {{ fact_sshd_macs }}
|
||||
# ssh-rsa-cert-v01@openssh.com,
|
||||
# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
# ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
#
|
||||
#
|
||||
# The list of available key types may also be obtained using "ssh -Q key".
|
||||
{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
|
||||
HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
|
||||
@@ -388,7 +385,7 @@ AcceptEnv LANG LC_*
|
||||
|
||||
# Configures an external subsystem (e.g. file transfer daemon).
|
||||
# By default no subsystems are defined.
|
||||
{% if ansible_facts['distribution_major_version'] | int >= 11 %}
|
||||
{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 11 %}
|
||||
{% if sshd_config_sftp.found|int == 0 %}
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
{% else %}
|
||||
@@ -398,10 +395,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
{% endif %}
|
||||
|
||||
# Specifies whether sshd(8) should look up the remote host name and check
|
||||
# that the resolved host name for the remote IP address maps back to the
|
||||
# Specifies whether sshd(8) should look up the remote host name and check
|
||||
# that the resolved host name for the remote IP address maps back to the
|
||||
# very same IP address.
|
||||
# The default is “yes”.
|
||||
# The default is 'yes'.
|
||||
UseDNS {{ sshd_use_dns }}
|
||||
|
||||
# Specifies whether X11 forwarding is permitted. The argument must be
|
||||
@@ -414,12 +411,12 @@ UseDNS {{ sshd_use_dns }}
|
||||
# The default is 10.
|
||||
X11DisplayOffset 10
|
||||
|
||||
# Specifies whether the system should send TCP keepalive messages to the
|
||||
# other side. If they are sent, death of the connection or crash of one
|
||||
# Specifies whether the system should send TCP keepalive messages to the
|
||||
# other side. If they are sent, death of the connection or crash of one
|
||||
# of the machines will be properly noticed. However, this means
|
||||
# that connections will die if the route is down temporarily, and some
|
||||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||||
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
|
||||
# that connections will die if the route is down temporarily, and some
|
||||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||||
# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
|
||||
# and consuming server resources.
|
||||
#
|
||||
# The default is “yes” (to send TCP keepalive messages), and the server
|
||||
@@ -432,14 +429,14 @@ TCPKeepAlive yes
|
||||
# The default is “yes”.
|
||||
PrintLastLog yes
|
||||
|
||||
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
|
||||
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
|
||||
# other remote hosts from connecting to forwarded ports.
|
||||
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
|
||||
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
|
||||
# other remote hosts from connecting to forwarded ports.
|
||||
#
|
||||
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
|
||||
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
|
||||
# no to force remote port forwardings to be available to the local host only, yes to force
|
||||
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
|
||||
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
|
||||
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
|
||||
# no to force remote port forwardings to be available to the local host only, yes to force
|
||||
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
|
||||
# client to select the address to which the forwarding is bound. The default is no.
|
||||
GatewayPorts {{ sshd_gateway_ports }}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user