ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bb57e8e55513f9c3c3fa7804d9abfa49ffb6c281
oopen-server/roles/common/templates/etc/ssh/sshd_config.j2
Christoph a143f30206 update..
2022-11-25 01:07:36 +01:00

502 lines
17 KiB
Django/Jinja
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# *** ---------------------------------------------- ***
# *** ***
# {{ ansible_managed }}
# *** ***
# *** ---------------------------------------------- ***
#-----------------------------
# Daemon
#-----------------------------
# What ports, IPs and protocols we listen for
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
#
# ListenAddress host|IPv4_addr|IPv6_addr
# ListenAddress host|IPv4_addr:port
# ListenAddress [host|IPv6_addr]:port
#
# If port is not specified, sshd will listen on the address and all Port options specified. The default
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
#
# ListenAddress ::
# ListenAddress 0.0.0.0
# ListenAddress 159.69.72.24
# ListenAddress 2a01:4f8:231:171f::2
#
{% if (sshd_listen_address is defined) and sshd_listen_address %}
{% for item in sshd_listen_address %}
ListenAddress {{ item }}
{% endfor %}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are 1 , `2' and 1,2.
# The default is 2.
Protocol 2
# HostKeys for protocol version 2
{% for item in sshd_host_keys %}
HostKey {{ item }}
{% endfor %}
# Lifetime and size of ephemeral version 1 server key
#
# Note:
# Deprecated option KeyRegenerationInterval
# Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 3
MaxStartups 10:30:100
# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries 3
# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions 10
#-----------------------------
# Authentication
#-----------------------------
# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
#
# Note: (Release 7.5)
# Deprecated option UsePrivilegeSeparation
# Privilege separation has been on by default for almost 15 years
# sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
{% endif %}
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120
# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
# Deprecated option RSAAuthentication
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
# KexAlgorithms
#
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.
# Alternately if the specified value begins with a + character, then the specified methods will be ap
# pended to the default set instead of replacing them. If the specified value begins with a - charac
# ter, then the specified methods (including wildcards) will be removed from the default set instead of
# replacing them. The supported algorithms are:
#
# curve25519-sha256
# curve25519-sha256@libssh.org
# diffie-hellman-group1-sha1
# diffie-hellman-group14-sha1
# diffie-hellman-group14-sha256
# diffie-hellman-group16-sha512
# diffie-hellman-group18-sha512
# diffie-hellman-group-exchange-sha1
# diffie-hellman-group-exchange-sha256
# ecdh-sha2-nistp256
# ecdh-sha2-nistp384
# ecdh-sha2-nistp521
#
# The default is:
#
# curve25519-sha256,curve25519-sha256@libssh.org,
# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
# diffie-hellman-group-exchange-sha256,
# diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
# diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
#
# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
#
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
{% endif %}
# Ciphers
#
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins
# with a + character, then the specified ciphers will be appended to the default set instead of replac
# ing them. If the specified value begins with a - character, then the specified ciphers (including
# wildcards) will be removed from the default set instead of replacing them.
#
# The supported ciphers are:
#
# 3des-cbc
# aes128-cbc
# aes192-cbc
# aes256-cbc
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes128-gcm@openssh.com
# aes256-gcm@openssh.com
# chacha20-poly1305@openssh.com
#
# The default is:
#
# chacha20-poly1305@openssh.com,
# aes128-ctr,aes192-ctr,aes256-ctr,
# aes128-gcm@openssh.com,aes256-gcm@openssh.com
#
# The list of available ciphers may also be obtained using "ssh -Q cipher".
#
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}
# MACs
#
# Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for
# data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins
# with a + character, then the specified algorithms will be appended to the default set instead of re
# placing them. If the specified value begins with a - character, then the specified algorithms (in
# cluding wildcards) will be removed from the default set instead of replacing them.
#
# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are
# considered safer and their use recommended. The supported MACs are:
#
# hmac-md5
# hmac-md5-96
# hmac-sha1
# hmac-sha1-96
# hmac-sha2-256
# hmac-sha2-512
# umac-64@openssh.com
# umac-128@openssh.com
# hmac-md5-etm@openssh.com
# hmac-md5-96-etm@openssh.com
# hmac-sha1-etm@openssh.com
# hmac-sha1-96-etm@openssh.com
# hmac-sha2-256-etm@openssh.com
# hmac-sha2-512-etm@openssh.com
# umac-64-etm@openssh.com
# umac-128-etm@openssh.com
#
# The default is:
#
# umac-64-etm@openssh.com,umac-128-etm@openssh.com,
# hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
# hmac-sha1-etm@openssh.com,
# umac-64@openssh.com,umac-128@openssh.com,
# hmac-sha2-256,hmac-sha2-512,hmac-sha1
#
# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
#
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
{% endif %}
# HostKeyAlgorithms
#
# Specifies the host key algorithms that the server offers. The default for this option is:
#
# ecdsa-sha2-nistp256-cert-v01@openssh.com,
# ecdsa-sha2-nistp384-cert-v01@openssh.com,
# ecdsa-sha2-nistp521-cert-v01@openssh.com,
# ssh-ed25519-cert-v01@openssh.com,
# rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
# ssh-rsa-cert-v01@openssh.com,
# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
# ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
#
# The list of available key types may also be obtained using "ssh -Q key".
{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
{% endif %}
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
{% if ansible_facts['distribution_major_version'] | int >= 11 %}
{% if sshd_config_sftp.found|int == 0 %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% else %}
#Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is “yes”.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
# other remote hosts from connecting to forwarded ports.
#
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
# no to force remote port forwardings to be available to the local host only, yes to force
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
# client to select the address to which the forwarding is bound. The default is no.
GatewayPorts {{ sshd_gateway_ports }}
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
{% if ( create_sftp_group is defined) and create_sftp_group %}
#-----------------------------
# Match Blocks
#-----------------------------
Match group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
Match all
{% endif -%}
{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %}
#-----------------------------
# Match User for PasswordAuthentication
#-----------------------------
{% for item in sshd_pasword_auth_user %}
Match User {{ item }}
PasswordAuthentication yes
Match all
{% endfor %}
{% endif %}
{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %}
#-----------------------------
# Match IP Address for PasswordAuthentication
#-----------------------------
{% for item in sshd_pasword_auth_ip %}
Match Address {{ item }}
PasswordAuthentication yes
Match all
{% endfor %}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink