57 lines
1.5 KiB
Django/Jinja
57 lines
1.5 KiB
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
SyslogFacility AUTH
|
|
LogLevel VERBOSE
|
|
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
ListenAddress ::
|
|
|
|
Port 22
|
|
|
|
MaxStartups 10:30:100
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
# https://infosec.mozilla.org/guidelines/openssh.html
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
{% if openssh_allow_passwords %}
|
|
AuthenticationMethods password publickey
|
|
UsePAM yes
|
|
{% else %}
|
|
AuthenticationMethods publickey
|
|
UsePAM no
|
|
{% endif %}
|
|
|
|
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
|
|
|
StrictModes yes
|
|
PermitRootLogin without-password
|
|
PermitUserRC no
|
|
PermitUserEnvironment no
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding yes
|
|
X11Forwarding no
|
|
PermitTTY yes
|
|
PermitTunnel no
|
|
VersionAddendum none
|
|
PrintLastLog yes
|
|
PrintMotd yes
|
|
TCPKeepAlive yes
|
|
UseDNS no
|
|
AcceptEnv LANG LC_*
|
|
|
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
|
|
|
AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
|
|
|
|
{% for group in openssh_whitelist_groups %}
|
|
Match group {{ group }}
|
|
AllowUsers *
|
|
{% endfor %}
|