ansible-infra/roles/deploy_ssh_server_config/templates/sshd_config.j2
June abc738c9c2
All checks were successful
/ Ansible Lint (push) Successful in 1m33s
flatten the "playbooks" directory for better structure
Because of how Ansible local relative search paths work, the global
"files" and "templates" directories need to be next to the playbooks.
However its not intuitive to look into the playbooks directory to find
the files and templates for a host.
Therefore flatten the playbooks directory to get rid of this confusing
structure.

Also see:
https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths
2024-12-02 00:48:19 +01:00

97 lines
3.4 KiB
Django/Jinja

# This is the sshd server system-wide configuration file deployed and managed by
# Ansible.
# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
# information.
# This config doesn't set all options and leaves some to the sshd defaults.
# The sshd defaults should be alright, so this config is only really setting
# options in cases where we want to intentionally have an option a certain way
# for some reason or another. For example for hardening, improved loggin, etc.
## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
## guidelines.
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
## Authentication Settings.
# Require only "publickey" for authentication.
# From Mozillas Modern guidelines.
AuthenticationMethods publickey
# Enable "PubkeyAuthentication" accordingly.
PubkeyAuthentication yes
# Don't do the other authentication types.
PasswordAuthentication no
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
KbdInteractiveAuthentication no
{% else %}
ChallengeResponseAuthentication no
{% endif %}
KerberosAuthentication no
GSSAPIAuthentication no
# Don't allow root login.
PermitRootLogin no
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
# Set this to "yes", but have "PasswordAuthentication" and
# "KbdInteractiveAuthentication" set to "no", to have account and session checks
# run.
{% else %}
# Set this to "yes", but have "PasswordAuthentication" and
# "ChallengeResponseAuthentication" set to "no", to have account and session
# checks run.
{% endif %}
# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
# information.
UsePAM yes
## Miscellaneous Settings.
# X11 forwarding shouldn't be needed.
X11Forwarding no
# Printing this isn't needed.
PrintMotd no
# Print time and date of last login, since that's nice.
PrintLastLog yes
# Disable general environment processing.
PermitUserEnvironment no
# Allow client to pass locale environment variables.
# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
AcceptEnv LANG LC_*
# Request response from client after 120 seconds of no communication.
# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
ClientAliveInterval 120
## Logging
# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
# This is needed for a clear audit track.
# From Mozillas Modern guidelines.
LogLevel VERBOSE
# Enable the sftp subsystem and log properly.
# From Mozillas Modern guidelines and
# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO