blob: 32f7e23e73b91a90102dc9dbb775c62ea317db1d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
### Autogenerated by service_ssh.py ###
# https://linux.die.net/man/5/sshd_config
#
# Non-configurable defaults
#
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LoginGraceTime 120
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any
DebianBanner no
KbdInteractiveAuthentication no
#
# User configurable section
#
# Look up remote host name and check that the resolved host name for the remote IP
# address maps back to the very same IP address.
UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }}
# Specifies the port number that sshd(8) listens on
{% for value in port %}
Port {{ value }}
{% endfor %}
# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ loglevel | upper }}
# Specifies whether password authentication is allowed
PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
{% if listen_address is vyos_defined %}
# Specifies the local addresses sshd should listen on
{% for address in listen_address %}
ListenAddress {{ address }}
{% endfor %}
{% endif %}
{% if cipher is vyos_defined %}
# Specifies allowed ciphers for protocol version 2
Ciphers {{ cipher | join(',') }}
{% endif %}
{% if hostkey_algorithm is vyos_defined %}
# Specifies the available Host Key signature algorithms
HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
{% endif %}
{% if pubkey_accepted_algorithm is vyos_defined %}
# Specifies the available PubKey signature algorithms
PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
{% endif %}
{% if fido is vyos_defined %}
{% set configured_pubkey_options = [] %}
{% if fido.pin_required is vyos_defined %}
{% do configured_pubkey_options.append('verify-required') %}
{% endif %}
{% if fido.touch_required is vyos_defined %}
{% do configured_pubkey_options.append('touch-required') %}
{% endif %}
{% if configured_pubkey_options | length > 0 %}
# Sets one or more public key authentication options.
PubkeyAuthOptions {{ configured_pubkey_options | join(' ') }}
{% endif %}
{% endif %}
{% if mac is vyos_defined %}
# Specifies the available MAC (message authentication code) algorithms
MACs {{ mac | join(',') }}
{% endif %}
{% if key_exchange is vyos_defined %}
# Specifies the available Key Exchange algorithms
KexAlgorithms {{ key_exchange | join(',') }}
{% endif %}
{% if access_control is vyos_defined %}
{% if access_control.allow.user is vyos_defined %}
# If specified, login is allowed only for user names that match
AllowUsers {{ access_control.allow.user | join(' ') }}
{% endif %}
{% if access_control.allow.group is vyos_defined %}
# If specified, login is allowed only for users whose primary group or supplementary group list matches
AllowGroups {{ access_control.allow.group | join(' ') }}
{% endif %}
{% if access_control.deny.user is vyos_defined %}
# Login is disallowed for user names that match
DenyUsers {{ access_control.deny.user | join(' ') }}
{% endif %}
{% if access_control.deny.group is vyos_defined %}
# Login is disallowed for users whose primary group or supplementary group list matches
DenyGroups {{ access_control.deny.group | join(' ') }}
{% endif %}
{% endif %}
{% if client_keepalive_interval is vyos_defined %}
# Sets a timeout interval in seconds after which if no data has been received from the client,
# sshd(8) will send a message through the encrypted channel to request a response from the client
ClientAliveInterval {{ client_keepalive_interval }}
{% endif %}
{% if rekey.data is vyos_defined %}
RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }}
{% endif %}
{% if trusted_user_ca is vyos_defined %}
# Specifies a file containing public keys of certificate authorities that are
# trusted to sign user certificates for authentication
TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }}
# The default is "none", i.e. not to use a principals file - in this case, the
# username of the user must appear in a certificate's principals list for it
# to be accepted. ".ssh/authorized_principals" means a per-user configuration,
# relative to $HOME.
{% set filename = 'none' %}
{% if has_principals is vyos_defined %}
{% set filename = '.ssh/authorized_principals' %}
{% endif %}
AuthorizedPrincipalsFile {{ filename }}
{% endif %}
|