ansible/roles/openssh_server/templates/sshd_config.j2
Jeltz 859a84f69c
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
Fix ssh.yml to handle the case of camelot
2022-02-08 09:38:21 +01:00

57 lines
1.5 KiB
Django/Jinja

{{ ansible_managed | comment }}
SyslogFacility AUTH
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port 22
MaxStartups 10:30:100
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
# https://infosec.mozilla.org/guidelines/openssh.html
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
{% if openssh_allow_passwords %}
AuthenticationMethods password publickey
UsePAM yes
{% else %}
AuthenticationMethods publickey
UsePAM no
{% endif %}
TrustedUserCAKeys /etc/ssh/users_ca.pub
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
StrictModes yes
PermitRootLogin without-password
PermitUserRC no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding yes
X11Forwarding no
PermitTTY yes
PermitTunnel no
VersionAddendum none
PrintLastLog yes
PrintMotd yes
TCPKeepAlive yes
UseDNS no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
{% for group in openssh_whitelist_groups %}
Match group {{ group }}
AllowUsers *
{% endfor %}