CCCHH/ansible-infra
CCCHH/ansible-infra
3
1
Fork 0
Code Issues 3 Pull requests Wiki Activity Actions
ansible-infra/roles/deploy_ssh_server_config/templates/sshd_config.j2
June f16f8697c2
move roles, files and templates dirs out of playbook dir into root dir 
Because of how Ansible local relative search paths work, the global
"files" and "templates" directories need to be next to the playbooks.
However its not intuitive to look into the "playbooks" directory to find
the files and templates for a host.
Therefore move them out of the "playbooks" directory into the root
directory and add symlinks so everything still works.

Similarly for local roles, they also need to be next to the playbooks.
So for a nicer structure, move the "roles" directory out into the root
directory as well and add a symlink so everything still works.

Also see:
https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles
2024-12-08 02:55:25 +01:00

97 lines
3.4 KiB
Django/Jinja
Raw Blame History

# This is the sshd server system-wide configuration file deployed and managed by
# Ansible.
# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
# information.
# This config doesn't set all options and leaves some to the sshd defaults.
# The sshd defaults should be alright, so this config is only really setting
# options in cases where we want to intentionally have an option a certain way
# for some reason or another. For example for hardening, improved loggin, etc.
## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
## guidelines.
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
## Authentication Settings.
# Require only "publickey" for authentication.
# From Mozillas Modern guidelines.
AuthenticationMethods publickey
# Enable "PubkeyAuthentication" accordingly.
PubkeyAuthentication yes
# Don't do the other authentication types.
PasswordAuthentication no
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
KbdInteractiveAuthentication no
{% else %}
ChallengeResponseAuthentication no
{% endif %}
KerberosAuthentication no
GSSAPIAuthentication no
# Don't allow root login.
PermitRootLogin no
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
# Set this to "yes", but have "PasswordAuthentication" and
# "KbdInteractiveAuthentication" set to "no", to have account and session checks
# run.
{% else %}
# Set this to "yes", but have "PasswordAuthentication" and
# "ChallengeResponseAuthentication" set to "no", to have account and session
# checks run.
{% endif %}
# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
# information.
UsePAM yes
## Miscellaneous Settings.
# X11 forwarding shouldn't be needed.
X11Forwarding no
# Printing this isn't needed.
PrintMotd no
# Print time and date of last login, since that's nice.
PrintLastLog yes
# Disable general environment processing.
PermitUserEnvironment no
# Allow client to pass locale environment variables.
# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
AcceptEnv LANG LC_*
# Request response from client after 120 seconds of no communication.
# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
ClientAliveInterval 120
## Logging
# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
# This is needed for a clear audit track.
# From Mozillas Modern guidelines.
LogLevel VERBOSE
# Enable the sftp subsystem and log properly.
# From Mozillas Modern guidelines and
# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
Reference in a new issue View git blame Copy permalink