diff options
Diffstat (limited to 'roles/ssh/templates/sshd_config.j2')
-rw-r--r-- | roles/ssh/templates/sshd_config.j2 | 100 |
1 files changed, 16 insertions, 84 deletions
diff --git a/roles/ssh/templates/sshd_config.j2 b/roles/ssh/templates/sshd_config.j2 index 4f7f608..a11268e 100644 --- a/roles/ssh/templates/sshd_config.j2 +++ b/roles/ssh/templates/sshd_config.j2 @@ -1,93 +1,25 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. +# ssh ~~ /etc/ssh/sshd_config +# managed by Ansible -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m +# security PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes +MaxAuthTries 6 +MaxSessions 10 -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! +# auth +AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed ClientAliveInterval 180 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +{% if ansible_facts["os_family"] == "OpenBSD" or ansible_facts["os_family"] == "Alpine" %} +Subsystem sftp /usr/libexec/sftp-server +{% elif ansible_facts["os_family"] == "Debian" %} +ChallengeResponseAuthentication no +UsePAM yes +PrintMotd no +UsePrivilegeSeparation sandbox +Subsystem sftp /usr/lib/ssh/sftp-server +{% endif %} |