summaryrefslogtreecommitdiff
path: root/data/templates/ssh/sshd_config.j2
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-04-14 21:34:52 +0200
committerChristian Poessinger <christian@poessinger.com>2022-04-14 21:34:52 +0200
commitdbfc2add3434638628b43ecfa097fbd166c85db7 (patch)
treeab219e511f48223fe18168e4bd9c3f4a1854c346 /data/templates/ssh/sshd_config.j2
parentb0acc3a58f75f01ff19dbc9544e681cfc9d50c8e (diff)
downloadvyos-1x-dbfc2add3434638628b43ecfa097fbd166c85db7.tar.gz
vyos-1x-dbfc2add3434638628b43ecfa097fbd166c85db7.zip
ssh: T4353: fix Jinja2 linting errors
Diffstat (limited to 'data/templates/ssh/sshd_config.j2')
-rw-r--r--data/templates/ssh/sshd_config.j298
1 files changed, 98 insertions, 0 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
new file mode 100644
index 000000000..e7dbca581
--- /dev/null
+++ b/data/templates/ssh/sshd_config.j2
@@ -0,0 +1,98 @@
+### Autogenerated by ssh.py ###
+
+# https://linux.die.net/man/5/sshd_config
+
+#
+# Non-configurable defaults
+#
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+SyslogFacility AUTH
+LoginGraceTime 120
+StrictModes yes
+PubkeyAuthentication yes
+IgnoreRhosts yes
+HostbasedAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+Banner /etc/issue.net
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+PermitRootLogin no
+PidFile /run/sshd/sshd.pid
+AddressFamily any
+DebianBanner no
+
+#
+# User configurable section
+#
+
+# Look up remote host name and check that the resolved host name for the remote IP
+# address maps back to the very same IP address.
+UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }}
+
+# Specifies the port number that sshd(8) listens on
+{% for value in port %}
+Port {{ value }}
+{% endfor %}
+
+# Gives the verbosity level that is used when logging messages from sshd
+LogLevel {{ loglevel | upper }}
+
+# Specifies whether password authentication is allowed
+PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
+
+{% if listen_address is vyos_defined %}
+# Specifies the local addresses sshd should listen on
+{% for address in listen_address %}
+ListenAddress {{ address }}
+{% endfor %}
+{% endif %}
+
+{% if ciphers is vyos_defined %}
+# Specifies the ciphers allowed for protocol version 2
+Ciphers {{ ciphers | join(',') }}
+{% endif %}
+
+{% if mac is vyos_defined %}
+# Specifies the available MAC (message authentication code) algorithms
+MACs {{ mac | join(',') }}
+{% endif %}
+
+{% if key_exchange is vyos_defined %}
+# Specifies the available Key Exchange algorithms
+KexAlgorithms {{ key_exchange | join(',') }}
+{% endif %}
+
+{% if access_control is vyos_defined %}
+{% if access_control.allow.user is vyos_defined %}
+# If specified, login is allowed only for user names that match
+AllowUsers {{ access_control.allow.user | join(' ') }}
+{% endif %}
+{% if access_control.allow.group is vyos_defined %}
+# If specified, login is allowed only for users whose primary group or supplementary group list matches
+AllowGroups {{ access_control.allow.group | join(' ') }}
+{% endif %}
+{% if access_control.deny.user is vyos_defined %}
+# Login is disallowed for user names that match
+DenyUsers {{ access_control.deny.user | join(' ') }}
+{% endif %}
+{% if access_control.deny.group is vyos_defined %}
+# Login is disallowed for users whose primary group or supplementary group list matches
+DenyGroups {{ access_control.deny.group | join(' ') }}
+{% endif %}
+{% endif %}
+
+{% if client_keepalive_interval is vyos_defined %}
+# Sets a timeout interval in seconds after which if no data has been received from the client,
+# sshd(8) will send a message through the encrypted channel to request a response from the client
+ClientAliveInterval {{ client_keepalive_interval }}
+{% endif %}