summaryrefslogtreecommitdiff
path: root/data/templates/ssh/sshd_config.tmpl
blob: 2f2b78a660d8fc722afd6ffe4670bd056066d52c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
### Autogenerated by ssh.py ###

# https://linux.die.net/man/5/sshd_config

#
# Non-configurable defaults
#
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LoginGraceTime 120
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any

#
# User configurable section
#

# Look up remote host name and check that the resolved host name for the remote IP
# address maps back to the very same IP address.
UseDNS {{ "no" if disable_host_validation is defined else "yes" }}

# Specifies the port number that sshd(8) listens on
{% for value in port %}
Port {{ value }}
{% endfor %}

# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ loglevel | upper }}

# Specifies whether password authentication is allowed
PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }}

{% if listen_address is defined and listen_address is not none %}
# Specifies the local addresses sshd should listen on
{%   for address in listen_address %}
ListenAddress {{ address }}
{%   endfor %}
{% endif %}

{% if ciphers is defined and ciphers is not none %}
# Specifies the ciphers allowed for protocol version 2
{%   set value = ciphers if ciphers is string else ciphers | join(',') %}
Ciphers {{ value }}
{% endif %}

{% if mac is defined and mac is not none %}
# Specifies the available MAC (message authentication code) algorithms
{%   set value = mac if mac is string else mac | join(',') %}
MACs {{ value }}
{% endif %}

{% if key_exchange is defined and key_exchange is not none %}
# Specifies the available Key Exchange algorithms
{%   set value = key_exchange if key_exchange is string else key_exchange | join(',') %}
KexAlgorithms {{ value }}
{% endif %}

{% if access_control is defined and access_control is not none %}
{%   if access_control.allow is defined and access_control.allow is not none %}
{%     if access_control.allow.user is defined %}
# If specified, login is allowed only for user names that match
{%       set value = access_control.allow.user if access_control.allow.user is string else access_control.allow.user | join(' ') %}
AllowUsers {{ value }}
{%     endif %}
{%     if access_control.allow.group is defined %}
# If specified, login is allowed only for users whose primary group or supplementary group list matches
{%       set value = access_control.allow.group if access_control.allow.group is string else access_control.allow.group | join(' ') %}
AllowGroups {{ value }}
{%     endif %}
{%   endif %}
{%   if access_control.deny is defined and access_control.deny is not none %}
{%     if access_control.deny.user is defined %}
# Login is disallowed for user names that match
{%        set value = access_control.deny.user if access_control.deny.user is string else access_control.deny.user | join(' ') %}
DenyUsers {{ value }}
{%     endif %}
{%     if access_control.deny.group is defined %}
# Login is disallowed for users whose primary group or supplementary group list matches
{%        set value = access_control.deny.group if access_control.deny.group is string else access_control.deny.group | join(' ') %}
DenyGroups {{ value }}
{%     endif %}
{%   endif %}
{% endif %}

{% if client_keepalive_interval is defined and client_keepalive_interval is not none %}
# Sets a timeout interval in seconds after which if no data has been received from the client,
# sshd(8) will send a message through the encrypted channel to request a response from the client
ClientAliveInterval {{ client_keepalive_interval }}
{% endif %}