Skip to content
Snippets Groups Projects
Select Git revision
  • 916fea27f52b5c15c856795015607249c6f3a39a
  • master default protected
  • th/btop
  • th/ssh-config
  • th/rwth-afu
  • th/rhel
  • th/emacs-nox-gtk
7 results

sshd_config.j2

Blame
  • Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    sshd_config.j2 2.91 KiB
    # Package generated configuration file
    # See the sshd_config(5) manpage for details
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    {% if ssh_strong_crypto %}
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    {% endif %}
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    {# deprecated option in buster #}
    {% if ansible_distribution_major_version|int < 10 %}
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    {% endif %}
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin without-password
    StrictModes yes
    
    PubkeyAuthentication yes
    #AuthorizedKeysFile	%h/.ssh/authorized_keys
    
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # similar for protocol version 2
    HostbasedAuthentication no
    #IgnoreUserKnownHosts yes
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no
    
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication {{ 'yes' if ssh_password_auth else 'no' }}
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    # GSSAPI options
    GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
    #GSSAPICleanupCredentials yes
    
    {% if ssh_allow_forwarding %}
    X11Forwarding yes
    X11DisplayOffset 10
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    {% else %}
    X11Forwarding no
    AllowAgentForwarding no
    AllowTcpForwarding no