diff options
Diffstat (limited to 'data/templates/ssh/sshd_config.j2')
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 new file mode 100644 index 000000000..e7dbca581 --- /dev/null +++ b/data/templates/ssh/sshd_config.j2 @@ -0,0 +1,98 @@ +### Autogenerated by ssh.py ### + +# https://linux.die.net/man/5/sshd_config + +# +# Non-configurable defaults +# +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +SyslogFacility AUTH +LoginGraceTime 120 +StrictModes yes +PubkeyAuthentication yes +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +Banner /etc/issue.net +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +PermitRootLogin no +PidFile /run/sshd/sshd.pid +AddressFamily any +DebianBanner no + +# +# User configurable section +# + +# Look up remote host name and check that the resolved host name for the remote IP +# address maps back to the very same IP address. +UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }} + +# Specifies the port number that sshd(8) listens on +{% for value in port %} +Port {{ value }} +{% endfor %} + +# Gives the verbosity level that is used when logging messages from sshd +LogLevel {{ loglevel | upper }} + +# Specifies whether password authentication is allowed +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} + +{% if listen_address is vyos_defined %} +# Specifies the local addresses sshd should listen on +{% for address in listen_address %} +ListenAddress {{ address }} +{% endfor %} +{% endif %} + +{% if ciphers is vyos_defined %} +# Specifies the ciphers allowed for protocol version 2 +Ciphers {{ ciphers | join(',') }} +{% endif %} + +{% if mac is vyos_defined %} +# Specifies the available MAC (message authentication code) algorithms +MACs {{ mac | join(',') }} +{% endif %} + +{% if key_exchange is vyos_defined %} +# Specifies the available Key Exchange algorithms +KexAlgorithms {{ key_exchange | join(',') }} +{% endif %} + +{% if access_control is vyos_defined %} +{% if access_control.allow.user is vyos_defined %} +# If specified, login is allowed only for user names that match +AllowUsers {{ access_control.allow.user | join(' ') }} +{% endif %} +{% if access_control.allow.group is vyos_defined %} +# If specified, login is allowed only for users whose primary group or supplementary group list matches +AllowGroups {{ access_control.allow.group | join(' ') }} +{% endif %} +{% if access_control.deny.user is vyos_defined %} +# Login is disallowed for user names that match +DenyUsers {{ access_control.deny.user | join(' ') }} +{% endif %} +{% if access_control.deny.group is vyos_defined %} +# Login is disallowed for users whose primary group or supplementary group list matches +DenyGroups {{ access_control.deny.group | join(' ') }} +{% endif %} +{% endif %} + +{% if client_keepalive_interval is vyos_defined %} +# Sets a timeout interval in seconds after which if no data has been received from the client, +# sshd(8) will send a message through the encrypted channel to request a response from the client +ClientAliveInterval {{ client_keepalive_interval }} +{% endif %} |