blob: dbc5c36462b5dceeb1b1b493777acbfb2ff8f0e0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
### Autogenerated by ssh.py ###
# https://linux.die.net/man/5/sshd_config
#
# Non-configurable defaults
#
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LoginGraceTime 120
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin no
#
# User configurable section
#
# Look up remote host name and check that the resolved host name for the remote IP
# address maps back to the very same IP address.
UseDNS {{ "no" if disable_host_validation is defined else "yes" }}
# Specifies the port number that sshd(8) listens on
{% if port is string %}
Port {{ port }}
{% else %}
{% for value in port %}
Port {{ value }}
{% endfor %}
{% endif %}
# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ loglevel }}
# Specifies whether password authentication is allowed
PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }}
{% if listen_address %}
# Specifies the local addresses sshd should listen on
{% if listen_address is string %}
ListenAddress {{ listen_address }}
{% else %}
{% for address in listen_address %}
ListenAddress {{ address }}
{% endfor %}
{% endif %}
{% endif %}
{% if ciphers %}
# Specifies the ciphers allowed for protocol version 2
{% set value = ciphers if ciphers is string else ciphers | join(',') %}
Ciphers {{ value }}
{% endif %}
{% if mac %}
# Specifies the available MAC (message authentication code) algorithms
{% set value = mac if mac is string else mac | join(',') %}
MACs {{ value }}
{% endif %}
{% if key_exchange %}
# Specifies the available Key Exchange algorithms
{% set value = key_exchange if key_exchange is string else key_exchange | join(',') %}
KexAlgorithms {{ value }}
{% endif %}
{% if access_control is defined %}
{% if access_control.allow is defined %}
{% if access_control.allow.user is defined %}
# If specified, login is allowed only for user names that match
{% set value = access_control.allow.user if access_control.allow.user is string else access_control.allow.user | join(' ') %}
AllowUsers {{ value }}
{% endif %}
{% if access_control.allow.group is defined %}
# If specified, login is allowed only for users whose primary group or supplementary group list matches
{% set value = access_control.allow.group if access_control.allow.group is string else access_control.allow.group | join(' ') %}
AllowGroups {{ value }}
{% endif %}
{% endif %}
{% if access_control.deny is defined %}
{% if access_control.deny.user is defined %}
# Login is disallowed for user names that match
{% set value = access_control.deny.user if access_control.deny.user is string else access_control.deny.user | join(' ') %}
DenyUsers {{ value }}
{% endif %}
{% if access_control.deny.group is defined %}
# Login is disallowed for users whose primary group or supplementary group list matches
{% set value = access_control.deny.group if access_control.deny.group is string else access_control.deny.group | join(' ') %}
DenyGroups {{ value }}
{% endif %}
{% endif %}
{% endif %}
{% if client_keepalive_interval %}
# Sets a timeout interval in seconds after which if no data has been received from the client,
# sshd(8) will send a message through the encrypted channel to request a response from the client
ClientAliveInterval {{ client_keepalive_interval }}
{% endif %}
|