summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/ssh/override.conf.tmpl6
-rw-r--r--data/templates/ssh/sshd_config.tmpl53
2 files changed, 24 insertions, 35 deletions
diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl
index 5f8f35e89..e4d6f51cb 100644
--- a/data/templates/ssh/override.conf.tmpl
+++ b/data/templates/ssh/override.conf.tmpl
@@ -1,12 +1,12 @@
-{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %}
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
[Unit]
StartLimitIntervalSec=0
After=vyos-router.service
-ConditionPathExists={{config_file}}
+ConditionPathExists={{ config_file }}
[Service]
ExecStart=
-ExecStart={{vrf_command}}/usr/sbin/sshd -f {{config_file}} -D $SSHD_OPTS
+ExecStart={{ vrf_command }}/usr/sbin/sshd -f {{ config_file }} -D $SSHD_OPTS
Restart=always
RestartPreventExitStatus=
RestartSec=10
diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.tmpl
index 670cf85a1..d39b47669 100644
--- a/data/templates/ssh/sshd_config.tmpl
+++ b/data/templates/ssh/sshd_config.tmpl
@@ -37,7 +37,7 @@ DebianBanner no
# Look up remote host name and check that the resolved host name for the remote IP
# address maps back to the very same IP address.
-UseDNS {{ "no" if disable_host_validation is defined else "yes" }}
+UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }}
# Specifies the port number that sshd(8) listens on
{% for value in port %}
@@ -48,61 +48,50 @@ Port {{ value }}
LogLevel {{ loglevel | upper }}
# Specifies whether password authentication is allowed
-PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }}
+PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
-{% if listen_address is defined and listen_address is not none %}
+{% if listen_address is vyos_defined %}
# Specifies the local addresses sshd should listen on
{% for address in listen_address %}
ListenAddress {{ address }}
{% endfor %}
{% endif %}
-{% if ciphers is defined and ciphers is not none %}
+{% if ciphers is vyos_defined %}
# Specifies the ciphers allowed for protocol version 2
-{% set value = ciphers if ciphers is string else ciphers | join(',') %}
-Ciphers {{ value }}
+Ciphers {{ ciphers | join(',') }}
{% endif %}
-{% if mac is defined and mac is not none %}
+{% if mac is vyos_defined %}
# Specifies the available MAC (message authentication code) algorithms
-{% set value = mac if mac is string else mac | join(',') %}
-MACs {{ value }}
+MACs {{ mac | join(',') }}
{% endif %}
-{% if key_exchange is defined and key_exchange is not none %}
+{% if key_exchange is vyos_defined %}
# Specifies the available Key Exchange algorithms
-{% set value = key_exchange if key_exchange is string else key_exchange | join(',') %}
-KexAlgorithms {{ value }}
+KexAlgorithms {{ key_exchange | join(',') }}
{% endif %}
-{% if access_control is defined and access_control is not none %}
-{% if access_control.allow is defined and access_control.allow is not none %}
-{% if access_control.allow.user is defined %}
+{% if access_control is vyos_defined %}
+{% if access_control.allow.user is vyos_defined %}
# If specified, login is allowed only for user names that match
-{% set value = access_control.allow.user if access_control.allow.user is string else access_control.allow.user | join(' ') %}
-AllowUsers {{ value }}
-{% endif %}
-{% if access_control.allow.group is defined %}
+AllowUsers {{ access_control.allow.user | join(' ') }}
+{% endif %}
+{% if access_control.allow.group is vyos_defined %}
# If specified, login is allowed only for users whose primary group or supplementary group list matches
-{% set value = access_control.allow.group if access_control.allow.group is string else access_control.allow.group | join(' ') %}
-AllowGroups {{ value }}
-{% endif %}
+AllowGroups {{ access_control.allow.group | join(' ') }}
{% endif %}
-{% if access_control.deny is defined and access_control.deny is not none %}
-{% if access_control.deny.user is defined %}
+{% if access_control.deny.user is vyos_defined %}
# Login is disallowed for user names that match
-{% set value = access_control.deny.user if access_control.deny.user is string else access_control.deny.user | join(' ') %}
-DenyUsers {{ value }}
-{% endif %}
-{% if access_control.deny.group is defined %}
+DenyUsers {{ access_control.deny.user | join(' ') }}
+{% endif %}
+{% if access_control.deny.group is vyos_defined %}
# Login is disallowed for users whose primary group or supplementary group list matches
-{% set value = access_control.deny.group if access_control.deny.group is string else access_control.deny.group | join(' ') %}
-DenyGroups {{ value }}
-{% endif %}
+DenyGroups {{ access_control.deny.group | join(' ') }}
{% endif %}
{% endif %}
-{% if client_keepalive_interval is defined and client_keepalive_interval is not none %}
+{% if client_keepalive_interval is vyos_defined %}
# Sets a timeout interval in seconds after which if no data has been received from the client,
# sshd(8) will send a message through the encrypted channel to request a response from the client
ClientAliveInterval {{ client_keepalive_interval }}