Default configurations match Mozilla Modern
This commit is contained in:
Corbin Bartsch
parent
ab079d3e26
commit
71e670602c
GPG Key ID:
32D3B80A08D93212
@ -7,8 +7,6 @@ ssh_address_family: any
|
||||
ssh_listen_addresses:
|
||||
- 0.0.0.0
|
||||
|
||||
ssh_host_key_file: /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
ssh_allow_groups: ssh
|
||||
ssh_login_grace_time: 20
|
||||
ssh_permit_root_login: 'no'
|
||||
@ -20,6 +18,32 @@ ssh_pubkey_authentication: 'yes'
|
||||
|
||||
ssh_authorized_keys_file: .ssh/authorized_keys
|
||||
|
||||
ssh_kexalgorithms:
|
||||
# Mozilla Modern
|
||||
- curve25519-sha256@libssh.org
|
||||
- ecdh-sha2-nistp521
|
||||
- ecdh-sha2-nistp384
|
||||
- ecdh-sha2-nistp256
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
|
||||
ssh_ciphers:
|
||||
# Mozilla Modern
|
||||
- chacha20-poly1305@openssh.com
|
||||
- aes256-gcm@openssh.com
|
||||
- aes128-gcm@openssh.com
|
||||
- aes256-ctr
|
||||
- aes192-ctr
|
||||
- aes128-ctr
|
||||
|
||||
ssh_macs:
|
||||
# Mozilla Modern
|
||||
- hmac-sha2-512-etm@openssh.com
|
||||
- hmac-sha2-256-etm@openssh.com
|
||||
- umac-128-etm@openssh.com
|
||||
- hmac-sha2-512
|
||||
- hmac-sha2-256
|
||||
- umac-128@openssh.com
|
||||
|
||||
ssh_hostbased_authentication: 'no'
|
||||
ssh_password_authentication: 'no'
|
||||
ssh_permit_empty_passwords: 'no'
|
||||
@ -42,3 +66,5 @@ ssh_accept_env:
|
||||
|
||||
ssh_banner: true
|
||||
ssh_banner_file: /etc/issue.net
|
||||
|
||||
ssh_loglevel: "VERBOSE"
|
||||
|
||||
@ -6,7 +6,23 @@ AddressFamily {{ ssh_address_family }}
|
||||
ListenAddress {{ a }}
|
||||
{% endfor %}
|
||||
|
||||
HostKey {{ ssh_host_key_file }}
|
||||
{% if ssh_hostkey_file is defined %}
|
||||
HostKey {{ ssh_hostkey_file }}
|
||||
{% else %}
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_kexalgorithms is defined %}
|
||||
KexAlgorithms {% for alg in ssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
|
||||
{% endif %}
|
||||
{% if ssh_ciphers is defined %}
|
||||
Ciphers {% for alg in ssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
|
||||
{% endif %}
|
||||
{% if ssh_macs is defined %}
|
||||
MACs {% for alg in ssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
AllowGroups {{ ssh_allow_groups }}
|
||||
LoginGraceTime {{ ssh_login_grace_time }}
|
||||
@ -47,8 +63,10 @@ AcceptEnv {{ e }}
|
||||
PermitUserEnvironment no
|
||||
{% endif %}
|
||||
|
||||
LogLevel {{ ssh_loglevel }}
|
||||
|
||||
{% if ansible_facts['os_family'] == 'RedHat' %}
|
||||
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||
Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||
{% elif ansible_facts['os_family'] == 'Debian' %}
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||
{% endif %}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user