summaryrefslogtreecommitdiff
path: root/data/templates/ssh/sshd_config.j2
blob: 7e44efae85c6e8a9f0bffe06207265257dcc9038 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
### Autogenerated by service_ssh.py ###

# https://linux.die.net/man/5/sshd_config

#
# Non-configurable defaults
#
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LoginGraceTime 120
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any
DebianBanner no
KbdInteractiveAuthentication no

#
# User configurable section
#

# Look up remote host name and check that the resolved host name for the remote IP
# address maps back to the very same IP address.
UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }}

# Specifies the port number that sshd(8) listens on
{% for value in port %}
Port {{ value }}
{% endfor %}

# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ loglevel | upper }}

# Specifies whether password authentication is allowed
PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}

{% if listen_address is vyos_defined %}
# Specifies the local addresses sshd should listen on
{%     for address in listen_address %}
ListenAddress {{ address }}
{%     endfor %}
{% endif %}

{% if ciphers is vyos_defined %}
# Specifies the ciphers allowed for protocol version 2
Ciphers {{ ciphers | join(',') }}
{% endif %}

{% if hostkey_algorithm is vyos_defined %}
# Specifies the available Host Key signature algorithms
HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
{% endif %}

{% if pubkey_accepted_algorithm is vyos_defined %}
# Specifies the available PubKey signature algorithms
PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
{% endif %}

{% if mac is vyos_defined %}
# Specifies the available MAC (message authentication code) algorithms
MACs {{ mac | join(',') }}
{% endif %}

{% if key_exchange is vyos_defined %}
# Specifies the available Key Exchange algorithms
KexAlgorithms {{ key_exchange | join(',') }}
{% endif %}

{% if access_control is vyos_defined %}
{%     if access_control.allow.user is vyos_defined %}
# If specified, login is allowed only for user names that match
AllowUsers {{ access_control.allow.user | join(' ') }}
{%     endif %}
{%     if access_control.allow.group is vyos_defined %}
# If specified, login is allowed only for users whose primary group or supplementary group list matches
AllowGroups {{ access_control.allow.group | join(' ') }}
{%     endif %}
{%     if access_control.deny.user is vyos_defined %}
# Login is disallowed for user names that match
DenyUsers {{ access_control.deny.user | join(' ') }}
{%     endif %}
{%     if access_control.deny.group is vyos_defined %}
# Login is disallowed for users whose primary group or supplementary group list matches
DenyGroups {{ access_control.deny.group | join(' ') }}
{%     endif %}
{% endif %}

{% if client_keepalive_interval is vyos_defined %}
# Sets a timeout interval in seconds after which if no data has been received from the client,
# sshd(8) will send a message through the encrypted channel to request a response from the client
ClientAliveInterval {{ client_keepalive_interval }}
{% endif %}

{% if rekey.data is vyos_defined  %}
RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }}
{% endif %}

{% if trusted_user_ca_key is vyos_defined %}
TrustedUserCAKeys /etc/ssh/trusted_user_ca_key
{% endif %}