|
|
|
@ -20,14 +20,19 @@ KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384
|
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
|
|
|
|
|
{% if openssh_allow_passwords %}
|
|
|
|
|
AuthenticationMethods password publickey
|
|
|
|
|
UsePAM yes
|
|
|
|
|
{% else %}
|
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
|
UsePAM no
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
|
|
|
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
|
|
|
|
|
|
|
|
|
StrictModes yes
|
|
|
|
|
UsePAM no
|
|
|
|
|
PermitRootLogin yes
|
|
|
|
|
PermitRootLogin without-password
|
|
|
|
|
PermitUserRC no
|
|
|
|
|
PermitUserEnvironment no
|
|
|
|
|
AllowAgentForwarding no
|
|
|
|
@ -43,3 +48,10 @@ UseDNS no
|
|
|
|
|
AcceptEnv LANG LC_*
|
|
|
|
|
|
|
|
|
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
|
|
|
|
|
|
|
|
|
AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
|
|
|
|
|
|
|
|
|
|
{% for group in openssh_whitelist_groups %}
|
|
|
|
|
Match group {{ group }}
|
|
|
|
|
AllowUsers *
|
|
|
|
|
{% endfor %}
|
|
|
|
|