462 lines
17 KiB
Django/Jinja
462 lines
17 KiB
Django/Jinja
# *** ---------------------------------------------- ***
|
||
# *** ***
|
||
# {{ ansible_managed }}
|
||
# *** ***
|
||
# *** ---------------------------------------------- ***
|
||
|
||
#-----------------------------
|
||
# Daemon
|
||
#-----------------------------
|
||
|
||
# What ports, IPs and protocols we listen for
|
||
{% for item in sshd_ports %}
|
||
Port {{ item }}
|
||
{% endfor %}
|
||
|
||
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
|
||
#
|
||
# ListenAddress host|IPv4_addr|IPv6_addr
|
||
# ListenAddress host|IPv4_addr:port
|
||
# ListenAddress [host|IPv6_addr]:port
|
||
#
|
||
# If port is not specified, sshd will listen on the address and all Port options specified. The default
|
||
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
|
||
#
|
||
# ListenAddress ::
|
||
# ListenAddress 0.0.0.0
|
||
# ListenAddress 159.69.72.24
|
||
# ListenAddress 2a01:4f8:231:171f::2
|
||
#
|
||
{% if (sshd_listen_address is defined) and sshd_listen_address %}
|
||
{% for item in sshd_listen_address %}
|
||
ListenAddress {{ item }}
|
||
{% endfor %}
|
||
{% endif %}
|
||
|
||
# Specifies the protocol versions sshd(8) supports.
|
||
# The possible values are ‘1’ , `2' and ‘1,2’.
|
||
# The default is ‘2’.
|
||
Protocol 2
|
||
|
||
# HostKeys for protocol version 2
|
||
{% for item in sshd_host_keys %}
|
||
HostKey {{ item }}
|
||
{% endfor %}
|
||
|
||
# Lifetime and size of ephemeral version 1 server key
|
||
#
|
||
# Note:
|
||
# Deprecated option KeyRegenerationInterval
|
||
# Deprecated option ServerKeyBits
|
||
#
|
||
#KeyRegenerationInterval 3600
|
||
#ServerKeyBits 768
|
||
|
||
# Specifies the maximum number of concurrent unauthenticated connections
|
||
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
|
||
# separated values.
|
||
# The default is 10.
|
||
#MaxStartups 3
|
||
MaxStartups 10:30:100
|
||
|
||
# Specifies the maximum number of authentication attempts permitted per
|
||
# connection.
|
||
# The default is 6.
|
||
MaxAuthTries 3
|
||
|
||
# Specifies the maximum number of open sessions permitted per network
|
||
# connection.
|
||
# The default is 10.
|
||
MaxSessions 10
|
||
|
||
|
||
#-----------------------------
|
||
# Authentication
|
||
#-----------------------------
|
||
|
||
# Specifies whether sshd(8) separates privileges by creating an unprivileged
|
||
# child process to deal with incoming network traffic.
|
||
# The default is "yes" (for security).
|
||
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
|
||
#
|
||
# Note: (Release 7.5)
|
||
# Deprecated option UsePrivilegeSeparation
|
||
# Privilege separation has been on by default for almost 15 years
|
||
# sandboxing has been on by default for almost the last five
|
||
#
|
||
#UsePrivilegeSeparation sandbox
|
||
{% else %}
|
||
UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
|
||
{% endif %}
|
||
|
||
# The server disconnects after this time if the user has not
|
||
# successfully logged in.
|
||
# The default is 120 seconds.
|
||
LoginGraceTime 120
|
||
|
||
# Specifies whether root can log in using ssh(1).
|
||
# The default is "yes".
|
||
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
|
||
#PermitRootLogin yes
|
||
PermitRootLogin {{ sshd_permit_root_login }}
|
||
|
||
# Specifies whether sshd(8) should check file modes and ownership of the
|
||
# user's files and home directory before accepting login. This is normally
|
||
# desirable because novices sometimes accidentally leave their directory or
|
||
# files world-writable. Note that this does not apply to ChrootDirectory,
|
||
# whose permissions and ownership are checked unconditionally.
|
||
# The default is “yes”.
|
||
StrictModes yes
|
||
|
||
# Specifies whether pure RSA authentication is allowed. This option
|
||
# applies to protocol version 1 only.
|
||
# The default is “yes”.
|
||
#
|
||
# Note:
|
||
# Deprecated option RSAAuthentication
|
||
#
|
||
#RSAAuthentication yes
|
||
|
||
# Specifies whether public key authentication is allowed. Note that this
|
||
# option applies to protocol version 2 only.
|
||
# The default is “yes”.
|
||
PubkeyAuthentication {{ sshd_pubkey_authentication }}
|
||
|
||
# Specifies the file that contains the public keys that can be used for
|
||
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
|
||
# FORMAT section of sshd(8).
|
||
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
|
||
# during connection setup. The following tokens are defined: %% is replaced
|
||
# by a literal '%', %h is replaced by the home directory of the user being
|
||
# authenticated, and %u is replaced by the username of that user. After
|
||
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
|
||
# to the user's home directory. Multiple files may be listed, separated by
|
||
# whitespace.
|
||
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
|
||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
|
||
|
||
# Specifies whether password authentication is allowed.
|
||
# Change to no to disable tunnelled clear text passwords
|
||
# The default is "yes".
|
||
#PasswordAuthentication yes
|
||
PasswordAuthentication {{ sshd_password_authentication }}
|
||
|
||
# When password authentication is allowed, it specifies whether the
|
||
# server allows login to accounts with empty password strings.
|
||
# The default is “no”.
|
||
PermitEmptyPasswords no
|
||
|
||
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
|
||
# The default is “yes”.
|
||
ChallengeResponseAuthentication no
|
||
|
||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||
IgnoreRhosts yes
|
||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||
#
|
||
# Note:
|
||
# Deprecated option RhostsRSAAuthentication
|
||
#
|
||
#RhostsRSAAuthentication no
|
||
|
||
# similar for protocol version 2
|
||
HostbasedAuthentication no
|
||
|
||
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
|
||
# during RhostsRSAAuthentication or HostbasedAuthentication.
|
||
# The default is “no”.
|
||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||
#IgnoreUserKnownHosts yes
|
||
|
||
# If specified, login is allowed only for user names that match one of
|
||
# the patterns.
|
||
# The allow/deny directives are processed in the following order: DenyUsers,
|
||
# AllowUsers, DenyGroups, and finally AllowGroups.
|
||
# By default, login is allowed for all users.
|
||
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
|
||
AllowUsers {{ fact_sshd_allowed_users }}
|
||
{% else %}
|
||
#AllowUsers back chris sysadm cityslang christoph
|
||
{% endif %}
|
||
|
||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||
# and session processing. If this is enabled, PAM authentication will
|
||
# be allowed through the ChallengeResponseAuthentication and
|
||
# PasswordAuthentication. Depending on your PAM configuration,
|
||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||
# the setting of "PermitRootLogin without-password".
|
||
# If you just want the PAM account and session checks to run without
|
||
# PAM authentication, then enable this but set PasswordAuthentication
|
||
# and ChallengeResponseAuthentication to 'no'.
|
||
UsePAM {{ sshd_use_pam }}
|
||
|
||
# Specifies whether login(1) is used for interactive login sessions.
|
||
# Note that login(1) is never used for remote command execution.
|
||
# Note also, that if this is enabled, X11Forwarding will be disabled
|
||
# because login(1) does not know how to handle xauth(1) cookies. If
|
||
# UsePrivilegeSeparation is specified, it will be disabled after
|
||
# authentication.
|
||
# The default is “no”.
|
||
#UseLogin no
|
||
|
||
|
||
#-----------------------------
|
||
# Cryptography
|
||
#-----------------------------
|
||
|
||
# KexAlgorithms
|
||
#
|
||
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.
|
||
# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐
|
||
# pended to the default set instead of replacing them. If the specified value begins with a ‘-’ charac‐
|
||
# ter, then the specified methods (including wildcards) will be removed from the default set instead of
|
||
# replacing them. The supported algorithms are:
|
||
#
|
||
# curve25519-sha256
|
||
# curve25519-sha256@libssh.org
|
||
# diffie-hellman-group1-sha1
|
||
# diffie-hellman-group14-sha1
|
||
# diffie-hellman-group14-sha256
|
||
# diffie-hellman-group16-sha512
|
||
# diffie-hellman-group18-sha512
|
||
# diffie-hellman-group-exchange-sha1
|
||
# diffie-hellman-group-exchange-sha256
|
||
# ecdh-sha2-nistp256
|
||
# ecdh-sha2-nistp384
|
||
# ecdh-sha2-nistp521
|
||
#
|
||
# The default is:
|
||
#
|
||
# curve25519-sha256,curve25519-sha256@libssh.org,
|
||
# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||
# diffie-hellman-group-exchange-sha256,
|
||
# diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||
# diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||
#
|
||
# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
|
||
#
|
||
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
|
||
KexAlgorithms {{ fact_sshd_kexalgorithms }}
|
||
{% else %}
|
||
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||
{% endif %}
|
||
|
||
# Ciphers
|
||
#
|
||
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins
|
||
# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
|
||
# ing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including
|
||
# wildcards) will be removed from the default set instead of replacing them.
|
||
#
|
||
# The supported ciphers are:
|
||
#
|
||
# 3des-cbc
|
||
# aes128-cbc
|
||
# aes192-cbc
|
||
# aes256-cbc
|
||
# aes128-ctr
|
||
# aes192-ctr
|
||
# aes256-ctr
|
||
# aes128-gcm@openssh.com
|
||
# aes256-gcm@openssh.com
|
||
# chacha20-poly1305@openssh.com
|
||
#
|
||
# The default is:
|
||
#
|
||
# chacha20-poly1305@openssh.com,
|
||
# aes128-ctr,aes192-ctr,aes256-ctr,
|
||
# aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||
#
|
||
# The list of available ciphers may also be obtained using "ssh -Q cipher".
|
||
#
|
||
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
|
||
Ciphers {{ fact_sshd_ciphers }}
|
||
{% else %}
|
||
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||
{% endif %}
|
||
|
||
# MACs
|
||
#
|
||
# Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for
|
||
# data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins
|
||
# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
|
||
# placing them. If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
|
||
# cluding wildcards) will be removed from the default set instead of replacing them.
|
||
#
|
||
# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are
|
||
# considered safer and their use recommended. The supported MACs are:
|
||
#
|
||
# hmac-md5
|
||
# hmac-md5-96
|
||
# hmac-sha1
|
||
# hmac-sha1-96
|
||
# hmac-sha2-256
|
||
# hmac-sha2-512
|
||
# umac-64@openssh.com
|
||
# umac-128@openssh.com
|
||
# hmac-md5-etm@openssh.com
|
||
# hmac-md5-96-etm@openssh.com
|
||
# hmac-sha1-etm@openssh.com
|
||
# hmac-sha1-96-etm@openssh.com
|
||
# hmac-sha2-256-etm@openssh.com
|
||
# hmac-sha2-512-etm@openssh.com
|
||
# umac-64-etm@openssh.com
|
||
# umac-128-etm@openssh.com
|
||
#
|
||
# The default is:
|
||
#
|
||
# umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||
# hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||
# hmac-sha1-etm@openssh.com,
|
||
# umac-64@openssh.com,umac-128@openssh.com,
|
||
# hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||
#
|
||
# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
|
||
#
|
||
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
|
||
MACs {{ fact_sshd_macs }}
|
||
{% else %}
|
||
#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
|
||
{% endif %}
|
||
|
||
# HostKeyAlgorithms
|
||
#
|
||
# Specifies the host key algorithms that the server offers. The default for this option is:
|
||
#
|
||
# ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||
# ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||
# ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||
# ssh-ed25519-cert-v01@openssh.com,
|
||
# rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
||
# ssh-rsa-cert-v01@openssh.com,
|
||
# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||
# ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||
#
|
||
# The list of available key types may also be obtained using "ssh -Q key".
|
||
{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
|
||
HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
|
||
{% endif %}
|
||
|
||
|
||
#-----------------------------
|
||
# Logging
|
||
#-----------------------------
|
||
|
||
# Gives the facility code that is used when logging messages from sshd(8).
|
||
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||
# The default is AUTH.
|
||
SyslogFacility AUTH
|
||
|
||
# Gives the verbosity level that is used when logging messages from
|
||
# sshd(8).
|
||
# The default is INFO.
|
||
LogLevel INFO
|
||
|
||
|
||
#-----------------------------
|
||
# Behavior
|
||
#-----------------------------
|
||
|
||
# Specifies whether the distribution-specified extra version suffix is included
|
||
# during initial protocol handshake.
|
||
# The default is "yes".
|
||
DebianBanner no
|
||
|
||
# The contents of the specified file are sent to the remote user before
|
||
# authentication is allowed.
|
||
# By default, no banner is displayed.
|
||
#Banner /etc/issue.net
|
||
|
||
# Specifies whether sshd(8) should print /etc/motd when a user logs in
|
||
# interactively. (On some systems it is also printed by the shell,
|
||
# /etc/profile, or equivalent.)
|
||
# The default is “yes”.
|
||
PrintMotd {{ sshd_print_motd }}
|
||
|
||
# Specifies what environment variables sent by the client will be copied
|
||
# into the session's environ(7).
|
||
# The default is not to accept any environment variables.
|
||
AcceptEnv LANG LC_*
|
||
|
||
# Configures an external subsystem (e.g. file transfer daemon).
|
||
# By default no subsystems are defined.
|
||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||
|
||
# Specifies whether sshd(8) should look up the remote host name and check
|
||
# that the resolved host name for the remote IP address maps back to the
|
||
# very same IP address.
|
||
# The default is “yes”.
|
||
UseDNS {{ sshd_use_dns }}
|
||
|
||
# Specifies whether X11 forwarding is permitted. The argument must be
|
||
# “yes” or “no”. See sshd_config(5) for further expalnation
|
||
# The default is “no”.
|
||
#X11Forwarding yes
|
||
|
||
# Specifies the first display number available for sshd(8)'s X11
|
||
# forwarding. This prevents sshd from interfering with real X11 servers.
|
||
# The default is 10.
|
||
X11DisplayOffset 10
|
||
|
||
# Specifies whether the system should send TCP keepalive messages to the
|
||
# other side. If they are sent, death of the connection or crash of one
|
||
# of the machines will be properly noticed. However, this means
|
||
# that connections will die if the route is down temporarily, and some
|
||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
|
||
# and consuming server resources.
|
||
#
|
||
# The default is “yes” (to send TCP keepalive messages), and the server
|
||
# will notice if the network goes down or the client host crashes. This
|
||
# avoids infinitely hanging sessions.
|
||
TCPKeepAlive yes
|
||
|
||
#Specifies whether sshd(8) should print the date and time of the last
|
||
# user login when a user logs in interactively.
|
||
# The default is “yes”.
|
||
PrintLastLog yes
|
||
|
||
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
|
||
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
|
||
# other remote hosts from connecting to forwarded ports.
|
||
#
|
||
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
|
||
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
|
||
# no to force remote port forwardings to be available to the local host only, yes to force
|
||
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
|
||
# client to select the address to which the forwarding is bound. The default is no.
|
||
GatewayPorts {{ sshd_gateway_ports }}
|
||
|
||
|
||
#-----------------------------
|
||
# Kerberos options
|
||
#-----------------------------
|
||
#KerberosAuthentication no
|
||
#KerberosGetAFSToken no
|
||
#KerberosOrLocalPasswd yes
|
||
#KerberosTicketCleanup yes
|
||
|
||
|
||
#-----------------------------
|
||
# GSSAPI options
|
||
#-----------------------------
|
||
|
||
#GSSAPIAuthentication no
|
||
#GSSAPICleanupCredentials yes
|
||
|
||
{% if ( create_sftp_group is defined) and create_sftp_group %}
|
||
|
||
#-----------------------------
|
||
# Match Blocks
|
||
#-----------------------------
|
||
|
||
Match group sftp_users
|
||
X11Forwarding no
|
||
AllowTcpForwarding no
|
||
ChrootDirectory %h
|
||
ForceCommand internal-sftp
|
||
|
||
{% endif -%}
|