65 lines
2.4 KiB
Django/Jinja
65 lines
2.4 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
# See the sshd_config(5) manpage for details
|
|
|
|
# What ports, IPs and protocols we listen for
|
|
Port 22
|
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
|
#ListenAddress ::
|
|
#ListenAddress 0.0.0.0
|
|
|
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
AcceptEnv XMODIFIERS
|
|
|
|
# Supported HostKey algorithms by order of preference.
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# KeyRegenerationInternal is halved from the default as a precaution (optional). 1800 seconds is 30 minutes.
|
|
KeyRegenerationInterval 1800
|
|
|
|
# Password based logins are disabled - only public key based logins are allowed.
|
|
AuthenticationMethods publickey
|
|
|
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
|
LogLevel VERBOSE
|
|
|
|
# Root login should not be allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
|
|
#
|
|
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
|
|
# Additionally, only tools such as systemd and auditd record the process session id.
|
|
# On other OSes, the user session id is not necessarily recorded at all kernel-side.
|
|
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
|
|
PermitRootLogin yes # but we need it to login from dom0
|
|
|
|
# Use kernel sandbox mechanisms where possible in unprivilegied processes
|
|
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
|
|
UsePrivilegeSeparation sandbox
|
|
|
|
# We need sftp
|
|
Subsystem sftp internal-sftp
|
|
|
|
UsePam yes # needed to create home dirs with an ldap login
|
|
|
|
MaxAuthTries 10
|
|
|
|
{% for i in ssh.config_override|d({}) %}
|
|
{{ i }} {{ ssh.config_override[i] }}
|
|
{% endfor %}
|
|
|
|
# add special rules for users defined in host variables
|
|
|
|
{% for i in ssh.user %}
|
|
Match User {{ i }}
|
|
{% for j in ssh.user[i]|d({}) %}
|
|
{{ j }} {{ ssh.user[i][j] }}
|
|
{% endfor %}
|
|
{% endfor %}
|