### Autogenerated by service_ssh.py ### # https://linux.die.net/man/5/sshd_config # # Non-configurable defaults # Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTH LoginGraceTime 120 StrictModes yes PubkeyAuthentication yes IgnoreRhosts yes HostbasedAuthentication no PermitEmptyPasswords no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes Banner /etc/issue.net Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no KbdInteractiveAuthentication no # # User configurable section # # Look up remote host name and check that the resolved host name for the remote IP # address maps back to the very same IP address. UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }} # Specifies the port number that sshd(8) listens on {% for value in port %} Port {{ value }} {% endfor %} # Gives the verbosity level that is used when logging messages from sshd LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on {% for address in listen_address %} ListenAddress {{ address }} {% endfor %} {% endif %} {% if ciphers is vyos_defined %} # Specifies the ciphers allowed for protocol version 2 Ciphers {{ ciphers | join(',') }} {% endif %} {% if hostkey_algorithm is vyos_defined %} # Specifies the available Host Key signature algorithms HostKeyAlgorithms {{ hostkey_algorithm | join(',') }} {% endif %} {% if pubkey_accepted_algorithm is vyos_defined %} # Specifies the available PubKey signature algorithms PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }} {% endif %} {% if mac is vyos_defined %} # Specifies the available MAC (message authentication code) algorithms MACs {{ mac | join(',') }} {% endif %} {% if key_exchange is vyos_defined %} # Specifies the available Key Exchange algorithms KexAlgorithms {{ key_exchange | join(',') }} {% endif %} {% if access_control is vyos_defined %} {% if access_control.allow.user is vyos_defined %} # If specified, login is allowed only for user names that match AllowUsers {{ access_control.allow.user | join(' ') }} {% endif %} {% if access_control.allow.group is vyos_defined %} # If specified, login is allowed only for users whose primary group or supplementary group list matches AllowGroups {{ access_control.allow.group | join(' ') }} {% endif %} {% if access_control.deny.user is vyos_defined %} # Login is disallowed for user names that match DenyUsers {{ access_control.deny.user | join(' ') }} {% endif %} {% if access_control.deny.group is vyos_defined %} # Login is disallowed for users whose primary group or supplementary group list matches DenyGroups {{ access_control.deny.group | join(' ') }} {% endif %} {% endif %} {% if client_keepalive_interval is vyos_defined %} # Sets a timeout interval in seconds after which if no data has been received from the client, # sshd(8) will send a message through the encrypted channel to request a response from the client ClientAliveInterval {{ client_keepalive_interval }} {% endif %} {% if rekey.data is vyos_defined %} RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} {% endif %} {% if trusted_user_ca_key is vyos_defined %} TrustedUserCAKeys /etc/ssh/trusted_user_ca_key {% endif %}