ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
19617c6a5c
oopen-server/roles/common/templates/etc/ssh/sshd_config.j2
Christoph 19617c6a5c update..
2024-12-04 17:57:55 +01:00

391 lines
13 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
#-----------------------------
# Daemon
#-----------------------------
# What ports, IPs and protocols we listen for
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
#
# ListenAddress host|IPv4_addr|IPv6_addr
# ListenAddress host|IPv4_addr:port
# ListenAddress [host|IPv6_addr]:port
#
# If port is not specified, sshd will listen on the address and all Port options specified. The default
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
#
# ListenAddress ::
# ListenAddress 0.0.0.0
# ListenAddress 159.69.72.24
# ListenAddress 2a01:4f8:231:171f::2
#
{% if (sshd_listen_address is defined) and sshd_listen_address %}
{% for item in sshd_listen_address %}
ListenAddress {{ item }}
{% endfor %}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are '1' , '2' and '1,2'.
# The default is '2'.
Protocol 2
# HostKeys for protocol version 2
{% for item in sshd_host_keys %}
HostKey {{ item }}
{% endfor %}
# Lifetime and size of ephemeral version 1 server key
#
# Note:
# Deprecated option KeyRegenerationInterval
# Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups {{ sshd_max_startups }}
# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries {{ sshd_max_auth_tries }}
# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions {{ sshd_max_sessions }}
#-----------------------------
# Authentication
#-----------------------------
# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
#
# Note: (Release 7.5)
# Deprecated option UsePrivilegeSeparation
# Privilege separation has been on by default for almost 15 years
# sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
{% endif %}
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime {{ sshd_login_grace_time | default('120') }}
# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
# Deprecated option RSAAuthentication
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is 'no'.
PermitEmptyPasswords no
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
{% else %}
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is 'yes'.
ChallengeResponseAuthentication no
{% endif %}
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %}
# RequiredRSASize
#
# Specifies the minimum RSA key size (in bits) that sshd(8) will accept. User and host-based
# authentication keys smaller than this limit will be refused.
#
# The default is 1024 bits.
#
# Note that this limit may only be raised from the default.
#
{% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %}
RequiredRSASize {{ sshd_required_rsa_size }}
{% else %}
# RequiredRSASize 1024
{% endif %}
{% endif %}
# We use the distribution default values
# ======================================
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 11 %}
{% if sshd_config_sftp.found|int == 0 %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% else %}
#Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is 'yes'.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
# other remote hosts from connecting to forwarded ports.
#
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
# no to force remote port forwardings to be available to the local host only, yes to force
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
# client to select the address to which the forwarding is bound. The default is no.
GatewayPorts {{ sshd_gateway_ports }}
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
{% if ( create_sftp_group is defined) and create_sftp_group %}
#-----------------------------
# Match Blocks
#-----------------------------
Match group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
Match all
{% endif -%}
{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %}
#-----------------------------
# Match User for PasswordAuthentication
#-----------------------------
{% for item in sshd_pasword_auth_user %}
Match User {{ item }}
PasswordAuthentication yes
Match all
{% endfor %}
{% endif %}
{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %}
#-----------------------------
# Match IP Address for PasswordAuthentication
#-----------------------------
{% for item in sshd_pasword_auth_ip %}
Match Address {{ item }}
PasswordAuthentication yes
Match all
{% endfor %}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink