diff options
Diffstat (limited to 'data/templates/ssh')
| -rw-r--r-- | data/templates/ssh/override.conf.tmpl | 11 | ||||
| -rw-r--r-- | data/templates/ssh/sshd_config.tmpl | 114 |
2 files changed, 125 insertions, 0 deletions
diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl new file mode 100644 index 000000000..843aa927b --- /dev/null +++ b/data/templates/ssh/override.conf.tmpl @@ -0,0 +1,11 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service +ConditionPathExists={{config_file}} + +[Service] +ExecStart= +ExecStart={{vrf_command}}/usr/sbin/sshd -f {{config_file}} -D $SSHD_OPTS +RestartSec=10 + diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.tmpl new file mode 100644 index 000000000..4fde24255 --- /dev/null +++ b/data/templates/ssh/sshd_config.tmpl @@ -0,0 +1,114 @@ +### Autogenerated by ssh.py ### + +# https://linux.die.net/man/5/sshd_config + +# +# Non-configurable defaults +# +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +SyslogFacility AUTH +LoginGraceTime 120 +StrictModes yes +PubkeyAuthentication yes +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +Banner /etc/issue.net +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +PermitRootLogin no + +# +# User configurable section +# + +# Look up remote host name and check that the resolved host name for the remote IP +# address maps back to the very same IP address. +UseDNS {{ "no" if disable_host_validation is defined else "yes" }} + +# Specifies the port number that sshd(8) listens on +{% if port is string %} +Port {{ port }} +{% else %} +{% for value in port %} +Port {{ value }} +{% endfor %} +{% endif %} + +# Gives the verbosity level that is used when logging messages from sshd +LogLevel {{ loglevel | upper }} + +# Specifies whether password authentication is allowed +PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }} + +{% if listen_address %} +# Specifies the local addresses sshd should listen on +{% if listen_address is string %} +ListenAddress {{ listen_address }} +{% else %} +{% for address in listen_address %} +ListenAddress {{ address }} +{% endfor %} +{% endif %} +{% endif %} + +{% if ciphers %} +# Specifies the ciphers allowed for protocol version 2 +{% set value = ciphers if ciphers is string else ciphers | join(',') %} +Ciphers {{ value }} +{% endif %} + +{% if mac %} +# Specifies the available MAC (message authentication code) algorithms +{% set value = mac if mac is string else mac | join(',') %} +MACs {{ value }} +{% endif %} + +{% if key_exchange %} +# Specifies the available Key Exchange algorithms +{% set value = key_exchange if key_exchange is string else key_exchange | join(',') %} +KexAlgorithms {{ value }} +{% endif %} + +{% if access_control is defined %} +{% if access_control.allow is defined %} +{% if access_control.allow.user is defined %} +# If specified, login is allowed only for user names that match +{% set value = access_control.allow.user if access_control.allow.user is string else access_control.allow.user | join(' ') %} +AllowUsers {{ value }} +{% endif %} +{% if access_control.allow.group is defined %} +# If specified, login is allowed only for users whose primary group or supplementary group list matches +{% set value = access_control.allow.group if access_control.allow.group is string else access_control.allow.group | join(' ') %} +AllowGroups {{ value }} +{% endif %} +{% endif %} +{% if access_control.deny is defined %} +{% if access_control.deny.user is defined %} +# Login is disallowed for user names that match +{% set value = access_control.deny.user if access_control.deny.user is string else access_control.deny.user | join(' ') %} +DenyUsers {{ value }} +{% endif %} +{% if access_control.deny.group is defined %} +# Login is disallowed for users whose primary group or supplementary group list matches +{% set value = access_control.deny.group if access_control.deny.group is string else access_control.deny.group | join(' ') %} +DenyGroups {{ value }} +{% endif %} +{% endif %} +{% endif %} + +{% if client_keepalive_interval %} +# Sets a timeout interval in seconds after which if no data has been received from the client, +# sshd(8) will send a message through the encrypted channel to request a response from the client +ClientAliveInterval {{ client_keepalive_interval }} +{% endif %} |