### Autogenerated by service_ssh.py ### # https://linux.die.net/man/5/sshd_config # # Non-configurable defaults # Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTH LoginGraceTime 120 StrictModes yes PubkeyAuthentication yes IgnoreRhosts yes HostbasedAuthentication no PermitEmptyPasswords no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes Banner /etc/issue.net Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no KbdInteractiveAuthentication no # # User configurable section # # Look up remote host name and check that the resolved host name for the remote IP # address maps back to the very same IP address. UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }} # Specifies the port number that sshd(8) listens on {% for value in port %} Port {{ value }} {% endfor %} # Gives the verbosity level that is used when logging messages from sshd LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on {% for address in listen_address %} ListenAddress {{ address }} {% endfor %} {% endif %} {% if cipher is vyos_defined %} # Specifies allowed ciphers for protocol version 2 Ciphers {{ cipher | join(',') }} {% endif %} {% if hostkey_algorithm is vyos_defined %} # Specifies the available Host Key signature algorithms HostKeyAlgorithms {{ hostkey_algorithm | join(',') }} {% endif %} {% if pubkey_accepted_algorithm is vyos_defined %} # Specifies the available PubKey signature algorithms PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }} {% endif %} {% if fido is vyos_defined %} {% set configured_pubkey_options = [] %} {% if fido.pin_required is vyos_defined %} {% do configured_pubkey_options.append('verify-required') %} {% endif %} {% if fido.touch_required is vyos_defined %} {% do configured_pubkey_options.append('touch-required') %} {% endif %} {% if configured_pubkey_options | length > 0 %} # Sets one or more public key authentication options. PubkeyAuthOptions {{ configured_pubkey_options | join(' ') }} {% endif %} {% endif %} {% if mac is vyos_defined %} # Specifies the available MAC (message authentication code) algorithms MACs {{ mac | join(',') }} {% endif %} {% if key_exchange is vyos_defined %} # Specifies the available Key Exchange algorithms KexAlgorithms {{ key_exchange | join(',') }} {% endif %} {% if access_control is vyos_defined %} {% if access_control.allow.user is vyos_defined %} # If specified, login is allowed only for user names that match AllowUsers {{ access_control.allow.user | join(' ') }} {% endif %} {% if access_control.allow.group is vyos_defined %} # If specified, login is allowed only for users whose primary group or supplementary group list matches AllowGroups {{ access_control.allow.group | join(' ') }} {% endif %} {% if access_control.deny.user is vyos_defined %} # Login is disallowed for user names that match DenyUsers {{ access_control.deny.user | join(' ') }} {% endif %} {% if access_control.deny.group is vyos_defined %} # Login is disallowed for users whose primary group or supplementary group list matches DenyGroups {{ access_control.deny.group | join(' ') }} {% endif %} {% endif %} {% if client_keepalive_interval is vyos_defined %} # Sets a timeout interval in seconds after which if no data has been received from the client, # sshd(8) will send a message through the encrypted channel to request a response from the client ClientAliveInterval {{ client_keepalive_interval }} {% endif %} {% if rekey.data is vyos_defined %} RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} {% endif %} {% if trusted_user_ca is vyos_defined %} # Specifies a file containing public keys of certificate authorities that are # trusted to sign user certificates for authentication TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }} # The default is "none", i.e. not to use a principals file - in this case, the # username of the user must appear in a certificate's principals list for it # to be accepted. ".ssh/authorized_principals" means a per-user configuration, # relative to $HOME. {% set filename = 'none' %} {% if has_principals is vyos_defined %} {% set filename = '.ssh/authorized_principals' %} {% endif %} AuthorizedPrincipalsFile {{ filename }} {% endif %}