2019-10-06 20:55:56 +00:00
|
|
|
# Standard sshd config of Jannik Beyerstedt
|
|
|
|
|
|
|
|
Protocol 2
|
|
|
|
#Port 4422
|
|
|
|
#AddressFamily any
|
|
|
|
#ListenAddress 0.0.0.0
|
|
|
|
#ListenAddress ::
|
|
|
|
|
|
|
|
# Ciphers and keying
|
|
|
|
#RekeyLimit default none
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
|
|
|
# Logging
|
|
|
|
#SyslogFacility AUTH
|
|
|
|
LogLevel VERBOSE
|
|
|
|
|
|
|
|
# Authentication:
|
|
|
|
#LoginGraceTime 2m
|
2020-03-08 17:00:06 +00:00
|
|
|
{% if 'root' == ansible_user_id %}
|
|
|
|
PermitRootLogin yes
|
|
|
|
{% else %}
|
2019-10-06 20:55:56 +00:00
|
|
|
PermitRootLogin no
|
2020-03-08 17:00:06 +00:00
|
|
|
{% endif %}
|
2019-10-06 20:55:56 +00:00
|
|
|
#StrictModes yes
|
|
|
|
MaxAuthTries 2
|
|
|
|
MaxSessions 2
|
|
|
|
|
|
|
|
IgnoreRhosts yes
|
|
|
|
|
|
|
|
# Password based logins are disabled - only public key based logins are allowed.
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
PasswordAuthentication no
|
|
|
|
PermitEmptyPasswords no
|
|
|
|
ChallengeResponseAuthentication no
|
|
|
|
|
|
|
|
UsePAM yes
|
|
|
|
|
|
|
|
AllowAgentForwarding no
|
|
|
|
AllowTcpForwarding no
|
|
|
|
#GatewayPorts no
|
|
|
|
X11Forwarding no
|
|
|
|
#X11DisplayOffset 10
|
|
|
|
#X11UseLocalhost yes
|
|
|
|
#PermitTTY yes
|
|
|
|
PrintMotd no
|
|
|
|
#PrintLastLog yes
|
|
|
|
#TCPKeepAlive yes
|
|
|
|
#UseLogin no
|
|
|
|
#PermitUserEnvironment no
|
|
|
|
#Compression delayed
|
|
|
|
#ClientAliveInterval 0
|
|
|
|
ClientAliveCountMax 2
|
|
|
|
UseDNS no
|
|
|
|
#PidFile /var/run/sshd.pid
|
|
|
|
#MaxStartups 10:30:100
|
|
|
|
#PermitTunnel no
|
|
|
|
#ChrootDirectory none
|
|
|
|
#VersionAddendum none
|
|
|
|
|
|
|
|
# Allow client to pass locale environment variables
|
|
|
|
AcceptEnv LANG LC_*
|
|
|
|
|
2020-03-08 15:52:50 +00:00
|
|
|
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
|
2020-03-08 17:00:06 +00:00
|
|
|
{% if ((override_os_family is defined) | ternary(override_os_family,ansible_os_family)) == 'Centos' %}
|
|
|
|
Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
|
2021-05-02 16:19:11 +00:00
|
|
|
{% elif ((override_os_family is defined) | ternary(override_os_family,ansible_os_family)) == 'FreeBSD' %}
|
|
|
|
Subsystem sftp /usr/libexec/sftp-server
|
2020-03-08 17:00:06 +00:00
|
|
|
{% else %}
|
2020-03-08 15:52:50 +00:00
|
|
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
2020-03-08 17:00:06 +00:00
|
|
|
{% endif %}
|
2019-10-06 20:55:56 +00:00
|
|
|
|
|
|
|
# Example of overriding settings on a per-user basis
|
|
|
|
#Match User anoncvs
|
|
|
|
# X11Forwarding no
|
|
|
|
# AllowTcpForwarding no
|
|
|
|
# PermitTTY no
|
|
|
|
# ForceCommand cvs server
|