aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorbinary <me@rgoncalves.se>2020-11-18 09:40:44 +0100
committerbinary <me@rgoncalves.se>2020-11-18 09:40:44 +0100
commit79610f53d3bdf8b45bbf8acac44b27e2cf296f57 (patch)
tree5769352da6f32e6620af1f88812a41b581687747 /roles
parent99000f116579866bb98254450bae50a6c00f8465 (diff)
downloadinfrastructure-79610f53d3bdf8b45bbf8acac44b27e2cf296f57.tar.gz
Per dsitribution network rules
Diffstat (limited to 'roles')
-rw-r--r--roles/ssh/templates/sshd_config.j2100
1 files changed, 16 insertions, 84 deletions
diff --git a/roles/ssh/templates/sshd_config.j2 b/roles/ssh/templates/sshd_config.j2
index 4f7f608..a11268e 100644
--- a/roles/ssh/templates/sshd_config.j2
+++ b/roles/ssh/templates/sshd_config.j2
@@ -1,93 +1,25 @@
-# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
+# ssh ~~ /etc/ssh/sshd_config
+# managed by Ansible
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
+# security
PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
+MaxAuthTries 6
+MaxSessions 10
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
+# auth
+AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
ClientAliveInterval 180
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
+{% if ansible_facts["os_family"] == "OpenBSD" or ansible_facts["os_family"] == "Alpine" %}
+Subsystem sftp /usr/libexec/sftp-server
+{% elif ansible_facts["os_family"] == "Debian" %}
+ChallengeResponseAuthentication no
+UsePAM yes
+PrintMotd no
+UsePrivilegeSeparation sandbox
+Subsystem sftp /usr/lib/ssh/sftp-server
+{% endif %}
remember that computers suck.