ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2024-10-19 10:18:05 +02:00
parent 134eb18465
commit c771ba2095
6 changed files with 319 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
group_vars/all/main.yml
View File

@ -2082,6 +2082,8 @@ sshd_pubkey_authentication: !!str "yes"
sshd_password_authentication: !!str "no"
sshd_kbd_interactive_authentication:
sshd_use_pam: !!str "yes"
#sshd_allowed_users:
@ -2095,6 +2097,7 @@ sshd_use_dns: !!str "no"
sshd_gateway_ports: !!str "no"
sshd_required_rsa_size: 4096
# sshd_pubkey_accepted_algorithms:
#
@ -2129,43 +2132,57 @@ sshd_gateway_ports: !!str "no"
#
# Example:
# sshd_kexalgorithms:
# - curve25519-sha256@libssh.org
# - ntrup761x25519-sha512@openssh.com
# - curve25519-sha256,curve25519-sha256@libssh.org
# - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
# - diffie-hellman-group-exchange-sha256
# - diffie-hellman-group14-sha1
# - diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
# - diffie-hellman-group14-sha256
#
#sshd_kexalgorithms: {}
sshd_hostkeyalgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
# sshd_kexalgorithms
# sshd__ciphers
#
# Example:
# sshd_ciphers:
# - chacha20-poly1305@openssh.com
# - aes256-gcm@openssh.com
# - aes128-ctr
# - aes192-ctr
# - aes256-ctr
# - aes128-gcm@openssh.com
# - aes256-gcm@openssh.com
#sshd_ciphers: {}
sshd_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
# sshd_macs
#
# Example:
# sshd_macs:
# - umac-64-etm@openssh.com,umac-128-etm@openssh.com
# - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
# - hmac-sha1-etm@openssh.com
# - umac-64@openssh.com,umac-128@openssh.com
# - hmac-sha2-256,hmac-sha2-512,hmac-sha1
#sshd_macs: {}
sshd_macs:
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- umac-128-etm@openssh.com
# sshd_hostkeyalgorithms
#
# Example:
# - ssh-ed25519-cert-v01@openssh.com
# - ecdsa-sha2-nistp256-cert-v01@openssh.com
# - ecdsa-sha2-nistp384-cert-v01@openssh.com
# - ecdsa-sha2-nistp521-cert-v01@openssh.com
# - sk-ssh-ed25519-cert-v01@openssh.com
# - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
# - rsa-sha2-512-cert-v01@openssh.com
# - rsa-sha2-256-cert-v01@openssh.com
# - ssh-ed25519
# - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
# - sk-ssh-ed25519@openssh.com
# - sk-ecdsa-sha2-nistp256@openssh.com
# - rsa-sha2-512
# - rsa-sha2-256
#
#sshd_hostkeyalgorithms: {}
# This users are allowed to use password authentification
#
@ -2222,6 +2239,9 @@ sudoers_file_user_back_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/rsync'
- 'ALL=(root) NOPASSWD: /usr/bin/find'
- 'ALL=(root) NOPASSWD: /usr/bin/realpath'
- 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup.sh'
- 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup-nc.sh'
sudoers_file_user_back_postgres_privileges:
- 'ALL=(postgres) NOPASSWD: /usr/bin/psql'

203
host_vars/cp-flr.oopen.de.yml Normal file
View File

@ -0,0 +1,203 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: cryptpad
user_id: 2010
group_id: 2010
group: cryptpad
home: /var/www/cryptpad
password: $y$j9T$TUSURhYNq5B1eWlxis.xy.$YfCpyp24dmaZwiIEMaJvX7u3P.MEdAyz8YXMusM4lu7
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

9
host_vars/o26.oopen.de.yml
View File

@ -359,6 +359,11 @@ cron_user_special_time_entries:
cron_user_entries:
- name: "Renote Borg Backup"
minute: '04'
hour: '00'
job: /root/crontab/backup-rborg/remote-borg-backup.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
@ -380,13 +385,13 @@ cron_user_entries:
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
minute: '06'
minute: '16'
hour: '00'
weekday: '1-6'
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
- name: "On sunday morning also determin diskspace usage"
minute: '06'
minute: '16'
hour: '00'
weekday: 7
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup

4
host_vars/o40.oopen.de.yml
View File

@ -242,9 +242,9 @@ cron_user_special_time_entries:
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
- name: "Check if ntpsec service is running. Restart service if needed."
special_time: reboot
job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
job: "sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
insertafter: PATH
# - name: "Check if Check if all autostart LX-Container are running."

2
host_vars/o42.oopen.de.yml
View File

@ -32,7 +32,7 @@ network_interfaces:
family: inet
method: static
hwaddress:
hwaddress: 2c:f0:5d:0d:df:01
description:
address: 95.217.194.43
netmask: 26

105
roles/common/templates/etc/ssh/sshd_config.j2
View File

@ -10,11 +10,11 @@ Port {{ item }}
{% endfor %}
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
#
#
# ListenAddress host|IPv4_addr|IPv6_addr
# ListenAddress host|IPv4_addr:port
# ListenAddress [host|IPv6_addr]:port
#
#
# If port is not specified, sshd will listen on the address and all Port options specified. The default
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
#
@ -30,7 +30,7 @@ ListenAddress {{ item }}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are '1' , `2' and '1,2'.
# The possible values are '1' , '2' and '1,2'.
# The default is '2'.
Protocol 2
@ -49,7 +49,7 @@ HostKey {{ item }}
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 10:30:100
@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
LoginGraceTime {{ sshd_login_grace_time | default('120') }}
# Specifies whether root can log in using ssh(1).
# The default is "yes".
@ -97,15 +97,15 @@ LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
@ -114,20 +114,20 @@ StrictModes yes
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
@ -139,9 +139,9 @@ AuthorizedKeysFile {{ sshd_authorized_keys_file }}
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}
# When password authentication is allowed, it specifies whether the
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
# The default is 'no'.
PermitEmptyPasswords no
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
@ -150,7 +150,7 @@ PermitEmptyPasswords no
KbdInteractiveAuthentication no
{% else %}
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
# The default is 'yes'.
ChallengeResponseAuthentication no
{% endif %}
@ -166,15 +166,15 @@ IgnoreRhosts yes
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
@ -195,10 +195,10 @@ AllowUsers {{ fact_sshd_allowed_users }}
UsePAM {{ sshd_use_pam }}
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
@ -207,6 +207,24 @@ UsePAM {{ sshd_use_pam }}
#-----------------------------
# Cryptography
#-----------------------------
{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %}
# RequiredRSASize
#
# Specifies the minimum RSA key size (in bits) that sshd(8) will accept. User and host-based
# authentication keys smaller than this limit will be refused.
#
# The default is 1024 bits.
#
# Note that this limit may only be raised from the default.
#
{% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %}
RequiredRSASize {{ sshd_required_rsa_size }}
{% else %}
# RequiredRSASize 1024
{% endif %}
{% endif %}
{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
# PubkeyAcceptedAlgorithms
#
@ -231,14 +249,12 @@ UsePAM {{ sshd_use_pam }}
# sk-ecdsa-sha2-nistp256@openssh.com,
# rsa-sha2-512,rsa-sha2-256
#
{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
# The list of available signature algorithms may also be obtained using
# "ssh -Q PubkeyAcceptedAlgorithms"
#
PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
{% else %}
#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
{% endif %}
# KexAlgorithms
#
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.
@ -262,6 +278,7 @@ PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
#
# The default is:
#
# sntrup761x25519-sha512@openssh.com,
# curve25519-sha256,curve25519-sha256@libssh.org,
# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
# diffie-hellman-group-exchange-sha256,
@ -377,9 +394,9 @@ HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
@ -403,9 +420,9 @@ DebianBanner no
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
@ -432,12 +449,12 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# The default is 'yes'.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
@ -450,12 +467,12 @@ X11DisplayOffset 10
# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes