From c771ba2095365f213ff95f7578bdf82ed02dbb9a Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 19 Oct 2024 10:18:05 +0200 Subject: [PATCH] update.. --- group_vars/all/main.yml | 70 +++--- host_vars/cp-flr.oopen.de.yml | 203 ++++++++++++++++++ host_vars/o26.oopen.de.yml | 9 +- host_vars/o40.oopen.de.yml | 4 +- host_vars/o42.oopen.de.yml | 2 +- roles/common/templates/etc/ssh/sshd_config.j2 | 105 +++++---- 6 files changed, 319 insertions(+), 74 deletions(-) create mode 100644 host_vars/cp-flr.oopen.de.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 5bc05b7..9eff5c2 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2082,6 +2082,8 @@ sshd_pubkey_authentication: !!str "yes" sshd_password_authentication: !!str "no" +sshd_kbd_interactive_authentication: + sshd_use_pam: !!str "yes" #sshd_allowed_users: @@ -2095,6 +2097,7 @@ sshd_use_dns: !!str "no" sshd_gateway_ports: !!str "no" +sshd_required_rsa_size: 4096 # sshd_pubkey_accepted_algorithms: # @@ -2129,43 +2132,57 @@ sshd_gateway_ports: !!str "no" # # Example: # sshd_kexalgorithms: -# - curve25519-sha256@libssh.org +# - ntrup761x25519-sha512@openssh.com +# - curve25519-sha256,curve25519-sha256@libssh.org +# - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 # - diffie-hellman-group-exchange-sha256 -# - diffie-hellman-group14-sha1 +# - diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +# - diffie-hellman-group14-sha256 # #sshd_kexalgorithms: {} -sshd_hostkeyalgorithms: - - ssh-ed25519 - - ssh-ed25519-cert-v01@openssh.com - - rsa-sha2-256 - - rsa-sha2-512 - - rsa-sha2-256-cert-v01@openssh.com - - rsa-sha2-512-cert-v01@openssh.com - - -# sshd_kexalgorithms +# sshd__ciphers # # Example: # sshd_ciphers: # - chacha20-poly1305@openssh.com -# - aes256-gcm@openssh.com +# - aes128-ctr +# - aes192-ctr # - aes256-ctr - +# - aes128-gcm@openssh.com +# - aes256-gcm@openssh.com #sshd_ciphers: {} -sshd_ciphers: - - chacha20-poly1305@openssh.com - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr +# sshd_macs +# +# Example: +# sshd_macs: +# - umac-64-etm@openssh.com,umac-128-etm@openssh.com +# - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com +# - hmac-sha1-etm@openssh.com +# - umac-64@openssh.com,umac-128@openssh.com +# - hmac-sha2-256,hmac-sha2-512,hmac-sha1 #sshd_macs: {} -sshd_macs: - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-512-etm@openssh.com - - umac-128-etm@openssh.com + +# sshd_hostkeyalgorithms +# +# Example: +# - ssh-ed25519-cert-v01@openssh.com +# - ecdsa-sha2-nistp256-cert-v01@openssh.com +# - ecdsa-sha2-nistp384-cert-v01@openssh.com +# - ecdsa-sha2-nistp521-cert-v01@openssh.com +# - sk-ssh-ed25519-cert-v01@openssh.com +# - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com +# - rsa-sha2-512-cert-v01@openssh.com +# - rsa-sha2-256-cert-v01@openssh.com +# - ssh-ed25519 +# - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 +# - sk-ssh-ed25519@openssh.com +# - sk-ecdsa-sha2-nistp256@openssh.com +# - rsa-sha2-512 +# - rsa-sha2-256 +# +#sshd_hostkeyalgorithms: {} # This users are allowed to use password authentification # @@ -2222,6 +2239,9 @@ sudoers_file_user_back_privileges: - 'ALL=(root) NOPASSWD: /usr/bin/rsync' - 'ALL=(root) NOPASSWD: /usr/bin/find' - 'ALL=(root) NOPASSWD: /usr/bin/realpath' + - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup.sh' + - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup-nc.sh' + sudoers_file_user_back_postgres_privileges: - 'ALL=(postgres) NOPASSWD: /usr/bin/psql' diff --git a/host_vars/cp-flr.oopen.de.yml b/host_vars/cp-flr.oopen.de.yml new file mode 100644 index 0000000..99a72a1 --- /dev/null +++ b/host_vars/cp-flr.oopen.de.yml @@ -0,0 +1,203 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + + user_id: 1051 + group_id: 1051 + group: localadmin + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: cryptpad + user_id: 2010 + group_id: 2010 + group: cryptpad + home: /var/www/cryptpad + password: $y$j9T$TUSURhYNq5B1eWlxis.xy.$YfCpyp24dmaZwiIEMaJvX7u3P.MEdAyz8YXMusM4lu7 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_privileges: + - name: back + entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/o26.oopen.de.yml b/host_vars/o26.oopen.de.yml index 381713e..48728b7 100644 --- a/host_vars/o26.oopen.de.yml +++ b/host_vars/o26.oopen.de.yml @@ -359,6 +359,11 @@ cron_user_special_time_entries: cron_user_entries: + - name: "Renote Borg Backup" + minute: '04' + hour: '00' + job: /root/crontab/backup-rborg/remote-borg-backup.sh + - name: "Check if SSH service is running. Restart service if needed." minute: '*/5' hour: '*' @@ -380,13 +385,13 @@ cron_user_entries: job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts" - minute: '06' + minute: '16' hour: '00' weekday: '1-6' job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N - name: "On sunday morning also determin diskspace usage" - minute: '06' + minute: '16' hour: '00' weekday: 7 job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup diff --git a/host_vars/o40.oopen.de.yml b/host_vars/o40.oopen.de.yml index d90d1af..2080f31 100644 --- a/host_vars/o40.oopen.de.yml +++ b/host_vars/o40.oopen.de.yml @@ -242,9 +242,9 @@ cron_user_special_time_entries: job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" insertafter: PATH - - name: "Check if postfix mailservice is running. Restart service if needed." + - name: "Check if ntpsec service is running. Restart service if needed." special_time: reboot - job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1" + job: "sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1" insertafter: PATH # - name: "Check if Check if all autostart LX-Container are running." diff --git a/host_vars/o42.oopen.de.yml b/host_vars/o42.oopen.de.yml index efd5b90..76ab49d 100644 --- a/host_vars/o42.oopen.de.yml +++ b/host_vars/o42.oopen.de.yml @@ -32,7 +32,7 @@ network_interfaces: family: inet method: static - hwaddress: + hwaddress: 2c:f0:5d:0d:df:01 description: address: 95.217.194.43 netmask: 26 diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index e564705..ec41d95 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -10,11 +10,11 @@ Port {{ item }} {% endfor %} # Specifies the local addresses sshd(8) should listen on. The following forms may be used: -# +# # ListenAddress host|IPv4_addr|IPv6_addr # ListenAddress host|IPv4_addr:port # ListenAddress [host|IPv6_addr]:port -# +# # If port is not specified, sshd will listen on the address and all Port options specified. The default # is to listen on all local addresses. Multiple ListenAddress options are permitted. # @@ -30,7 +30,7 @@ ListenAddress {{ item }} {% endif %} # Specifies the protocol versions sshd(8) supports. -# The possible values are '1' , `2' and '1,2'. +# The possible values are '1' , '2' and '1,2'. # The default is '2'. Protocol 2 @@ -49,7 +49,7 @@ HostKey {{ item }} #ServerKeyBits 768 # Specifies the maximum number of concurrent unauthenticated connections -# to the SSH daemon. See sshd_config(5) for specifiing the three colon +# to the SSH daemon. See sshd_config(5) for specifiing the three colon # separated values. # The default is 10. #MaxStartups 10:30:100 @@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }} # The server disconnects after this time if the user has not # successfully logged in. # The default is 120 seconds. -LoginGraceTime = {{ sshd_login_grace_time | default('120') }} +LoginGraceTime {{ sshd_login_grace_time | default('120') }} # Specifies whether root can log in using ssh(1). # The default is "yes". @@ -97,15 +97,15 @@ LoginGraceTime = {{ sshd_login_grace_time | default('120') }} #PermitRootLogin yes PermitRootLogin {{ sshd_permit_root_login }} -# Specifies whether sshd(8) should check file modes and ownership of the -# user's files and home directory before accepting login. This is normally -# desirable because novices sometimes accidentally leave their directory or -# files world-writable. Note that this does not apply to ChrootDirectory, -# whose permissions and ownership are checked unconditionally. +# Specifies whether sshd(8) should check file modes and ownership of the +# user's files and home directory before accepting login. This is normally +# desirable because novices sometimes accidentally leave their directory or +# files world-writable. Note that this does not apply to ChrootDirectory, +# whose permissions and ownership are checked unconditionally. # The default is “yes”. StrictModes yes -# Specifies whether pure RSA authentication is allowed. This option +# Specifies whether pure RSA authentication is allowed. This option # applies to protocol version 1 only. # The default is “yes”. # @@ -114,20 +114,20 @@ StrictModes yes # #RSAAuthentication yes -# Specifies whether public key authentication is allowed. Note that this +# Specifies whether public key authentication is allowed. Note that this # option applies to protocol version 2 only. # The default is “yes”. PubkeyAuthentication {{ sshd_pubkey_authentication }} -# Specifies the file that contains the public keys that can be used for -# user authentication. The format is described in the AUTHORIZED_KEYS FILE +# Specifies the file that contains the public keys that can be used for +# user authentication. The format is described in the AUTHORIZED_KEYS FILE # FORMAT section of sshd(8). # AuthorizedKeysFile may contain tokens of the form %T which are substituted -# during connection setup. The following tokens are defined: %% is replaced -# by a literal '%', %h is replaced by the home directory of the user being -# authenticated, and %u is replaced by the username of that user. After -# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative -# to the user's home directory. Multiple files may be listed, separated by +# during connection setup. The following tokens are defined: %% is replaced +# by a literal '%', %h is replaced by the home directory of the user being +# authenticated, and %u is replaced by the username of that user. After +# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative +# to the user's home directory. Multiple files may be listed, separated by # whitespace. # The default is “.ssh/authorized_keys .ssh/authorized_keys2”. #AuthorizedKeysFile %h/.ssh/authorized_keys @@ -139,9 +139,9 @@ AuthorizedKeysFile {{ sshd_authorized_keys_file }} #PasswordAuthentication yes PasswordAuthentication {{ sshd_password_authentication }} -# When password authentication is allowed, it specifies whether the +# When password authentication is allowed, it specifies whether the # server allows login to accounts with empty password strings. -# The default is “no”. +# The default is 'no'. PermitEmptyPasswords no {% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %} @@ -150,7 +150,7 @@ PermitEmptyPasswords no KbdInteractiveAuthentication no {% else %} # Specifies whether challenge-response authentication is allowed (e.g. via PAM). -# The default is “yes”. +# The default is 'yes'. ChallengeResponseAuthentication no {% endif %} @@ -166,15 +166,15 @@ IgnoreRhosts yes # similar for protocol version 2 HostbasedAuthentication no -# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts -# during RhostsRSAAuthentication or HostbasedAuthentication. +# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts +# during RhostsRSAAuthentication or HostbasedAuthentication. # The default is “no”. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # If specified, login is allowed only for user names that match one of # the patterns. -# The allow/deny directives are processed in the following order: DenyUsers, +# The allow/deny directives are processed in the following order: DenyUsers, # AllowUsers, DenyGroups, and finally AllowGroups. # By default, login is allowed for all users. {% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %} @@ -195,10 +195,10 @@ AllowUsers {{ fact_sshd_allowed_users }} UsePAM {{ sshd_use_pam }} # Specifies whether login(1) is used for interactive login sessions. -# Note that login(1) is never used for remote command execution. -# Note also, that if this is enabled, X11Forwarding will be disabled +# Note that login(1) is never used for remote command execution. +# Note also, that if this is enabled, X11Forwarding will be disabled # because login(1) does not know how to handle xauth(1) cookies. If -# UsePrivilegeSeparation is specified, it will be disabled after +# UsePrivilegeSeparation is specified, it will be disabled after # authentication. # The default is “no”. #UseLogin no @@ -207,6 +207,24 @@ UsePAM {{ sshd_use_pam }} #----------------------------- # Cryptography #----------------------------- +{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %} + +# RequiredRSASize +# +# Specifies the minimum RSA key size (in bits) that sshd(8) will accept. User and host-based +# authentication keys smaller than this limit will be refused. +# +# The default is 1024 bits. +# +# Note that this limit may only be raised from the default. +# +{% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %} +RequiredRSASize {{ sshd_required_rsa_size }} +{% else %} +# RequiredRSASize 1024 +{% endif %} +{% endif %} +{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %} # PubkeyAcceptedAlgorithms # @@ -231,14 +249,12 @@ UsePAM {{ sshd_use_pam }} # sk-ecdsa-sha2-nistp256@openssh.com, # rsa-sha2-512,rsa-sha2-256 # - -{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %} +# The list of available signature algorithms may also be obtained using +# "ssh -Q PubkeyAcceptedAlgorithms" +# PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }} -{% else %} -#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 {% endif %} - # KexAlgorithms # # Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. @@ -262,6 +278,7 @@ PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }} # # The default is: # +# sntrup761x25519-sha512@openssh.com, # curve25519-sha256,curve25519-sha256@libssh.org, # ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, # diffie-hellman-group-exchange-sha256, @@ -377,9 +394,9 @@ HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }} # Logging #----------------------------- -# Gives the facility code that is used when logging messages from sshd(8). -# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +# Gives the facility code that is used when logging messages from sshd(8). +# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. # The default is AUTH. SyslogFacility AUTH @@ -403,9 +420,9 @@ DebianBanner no # By default, no banner is displayed. #Banner /etc/issue.net -# Specifies whether sshd(8) should print /etc/motd when a user logs in -# interactively. (On some systems it is also printed by the shell, -# /etc/profile, or equivalent.) +# Specifies whether sshd(8) should print /etc/motd when a user logs in +# interactively. (On some systems it is also printed by the shell, +# /etc/profile, or equivalent.) # The default is “yes”. PrintMotd {{ sshd_print_motd }} @@ -432,12 +449,12 @@ Subsystem sftp /usr/lib/openssh/sftp-server # The default is 'yes'. UseDNS {{ sshd_use_dns }} -# Specifies whether X11 forwarding is permitted. The argument must be +# Specifies whether X11 forwarding is permitted. The argument must be # “yes” or “no”. See sshd_config(5) for further expalnation # The default is “no”. #X11Forwarding yes -# Specifies the first display number available for sshd(8)'s X11 +# Specifies the first display number available for sshd(8)'s X11 # forwarding. This prevents sshd from interfering with real X11 servers. # The default is 10. X11DisplayOffset 10 @@ -450,12 +467,12 @@ X11DisplayOffset 10 # sent, sessions may hang indefinitely on the server, leaving 'ghost' users # and consuming server resources. # -# The default is “yes” (to send TCP keepalive messages), and the server -# will notice if the network goes down or the client host crashes. This +# The default is “yes” (to send TCP keepalive messages), and the server +# will notice if the network goes down or the client host crashes. This # avoids infinitely hanging sessions. TCPKeepAlive yes -#Specifies whether sshd(8) should print the date and time of the last +#Specifies whether sshd(8) should print the date and time of the last # user login when a user logs in interactively. # The default is “yes”. PrintLastLog yes