217 lines
6.4 KiB
Django/Jinja
217 lines
6.4 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
#
|
|
# OpenSSH Server Configuration
|
|
#
|
|
# OpenSSH versions by distribution:
|
|
# Ubuntu 20.04 (Focal): 8.2 | Ubuntu 22.04 (Jammy): 8.9 | Ubuntu 24.04 (Noble): 9.6
|
|
# Debian 11 (Bullseye): 8.4 | Debian 12 (Bookworm): 9.2 | Debian 13 (Trixie): 9.9
|
|
# EL 8: 8.0 | EL 9: 8.7 | EL 10: 9.8
|
|
#
|
|
# Version-specific features enabled by this template:
|
|
# 8.2+: Include directive
|
|
# 8.5+: PerSourceMaxStartups, PerSourceNetBlockSize
|
|
# 8.7+: KbdInteractiveAuthentication (replaces ChallengeResponseAuthentication)
|
|
# 9.1+: RequiredRSASize
|
|
# 9.2+: ChannelTimeout, UnusedConnectionTimeout
|
|
# 9.8+: PerSourcePenalties, PerSourcePenaltyExemptList, PAMServiceName
|
|
#
|
|
# Deprecated options handled:
|
|
# ChallengeResponseAuthentication: deprecated in 8.7, uses KbdInteractiveAuthentication instead
|
|
#
|
|
|
|
{% set openssh_version_map = {
|
|
'focal': 8.2,
|
|
'jammy': 8.9,
|
|
'noble': 9.6,
|
|
'bullseye': 8.4,
|
|
'bookworm': 9.2,
|
|
'trixie': 9.9,
|
|
} %}
|
|
{% if ansible_distribution_file_variety == 'Debian' %}
|
|
{% set openssh_version = openssh_version_map.get(ansible_distribution_release, 8.0) %}
|
|
{% elif ansible_distribution_file_variety == 'RedHat' %}
|
|
{% if ansible_distribution_major_version | int >= 10 %}
|
|
{% set openssh_version = 9.8 %}
|
|
{% elif ansible_distribution_major_version | int >= 9 %}
|
|
{% set openssh_version = 8.7 %}
|
|
{% else %}
|
|
{% set openssh_version = 8.0 %}
|
|
{% endif %}
|
|
{% else %}
|
|
{% set openssh_version = 8.0 %}
|
|
{% endif %}
|
|
|
|
# --- Include directive (OpenSSH 8.2+) ---
|
|
{% if openssh_version >= 8.2 and sshd_include_config_d %}
|
|
Include /etc/ssh/sshd_config.d/*.conf
|
|
|
|
{% endif %}
|
|
# --- Network ---
|
|
Port {{ sshd_port }}
|
|
AddressFamily any
|
|
#ListenAddress 0.0.0.0
|
|
#ListenAddress ::
|
|
|
|
# --- Host Keys ---
|
|
{% for key in sshd_host_keys %}
|
|
HostKey {{ key }}
|
|
{% endfor %}
|
|
|
|
# --- Ciphers, MACs, and Key Exchange ---
|
|
{% if sshd_ciphers %}
|
|
Ciphers {{ sshd_ciphers }}
|
|
{% endif %}
|
|
{% if sshd_macs %}
|
|
MACs {{ sshd_macs }}
|
|
{% endif %}
|
|
{% if sshd_kex_algorithms %}
|
|
KexAlgorithms {{ sshd_kex_algorithms }}
|
|
{% endif %}
|
|
{% if sshd_host_key_algorithms %}
|
|
HostKeyAlgorithms {{ sshd_host_key_algorithms }}
|
|
{% endif %}
|
|
|
|
# --- Minimum RSA key size (OpenSSH 9.1+) ---
|
|
{% if openssh_version >= 9.1 and sshd_required_rsa_size %}
|
|
RequiredRSASize {{ sshd_required_rsa_size }}
|
|
{% endif %}
|
|
|
|
# --- Logging ---
|
|
SyslogFacility {{ sshd_syslog_facility }}
|
|
LogLevel {{ sshd_log_level }}
|
|
|
|
# --- Authentication ---
|
|
LoginGraceTime {{ sshd_login_grace_time }}
|
|
PermitRootLogin {{ sshd_permit_root_login }}
|
|
StrictModes {{ sshd_strict_mode }}
|
|
MaxAuthTries {{ sshd_max_auth_tries }}
|
|
MaxSessions {{ sshd_max_sessions }}
|
|
|
|
PubkeyAuthentication {{ sshd_pubkey_authentication }}
|
|
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
|
|
|
# Host-based authentication
|
|
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
|
IgnoreRhosts {{ sshd_ignore_rhosts }}
|
|
{% if sshd_ignore_user_known_hosts == "yes" %}
|
|
IgnoreUserKnownHosts yes
|
|
{% endif %}
|
|
|
|
# Password and empty password settings
|
|
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
|
|
PasswordAuthentication {{ sshd_password_authentication }}
|
|
|
|
# Keyboard-interactive authentication
|
|
# Note: ChallengeResponseAuthentication was renamed to KbdInteractiveAuthentication in OpenSSH 8.7
|
|
# and deprecated in OpenSSH 9.x. We use the appropriate directive based on version.
|
|
{% if openssh_version >= 8.7 %}
|
|
KbdInteractiveAuthentication {{ sshd_kbd_interactive_authentication }}
|
|
{% else %}
|
|
ChallengeResponseAuthentication {{ sshd_kbd_interactive_authentication }}
|
|
{% endif %}
|
|
|
|
# GSSAPI options
|
|
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
|
|
{% if sshd_gssapi_authentication == "yes" %}
|
|
GSSAPICleanupCredentials {{ sshd_gssapi_cleanup_credentials }}
|
|
{% endif %}
|
|
|
|
# PAM
|
|
UsePAM {{ sshd_use_pam }}
|
|
{% if openssh_version >= 9.8 and sshd_pam_service_name %}
|
|
PAMServiceName {{ sshd_pam_service_name }}
|
|
{% endif %}
|
|
|
|
# --- Forwarding ---
|
|
AllowAgentForwarding {{ sshd_agent_forwarding }}
|
|
AllowTcpForwarding {{ sshd_tcp_forwarding }}
|
|
GatewayPorts {{ sshd_gateway_ports }}
|
|
X11Forwarding {{ sshd_x11_forwarding }}
|
|
{% if sshd_x11_forwarding == "yes" %}
|
|
X11DisplayOffset {{ sshd_x11_display_offset }}
|
|
X11UseLocalhost yes
|
|
{% endif %}
|
|
PermitTunnel {{ sshd_permit_tunnel }}
|
|
PermitUserEnvironment {{ sshd_permit_user_environment }}
|
|
|
|
# --- Connection Settings ---
|
|
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
|
{% if sshd_client_alive_interval | int > 0 %}
|
|
ClientAliveInterval {{ sshd_client_alive_interval }}
|
|
ClientAliveCountMax {{ sshd_client_alive_count_max }}
|
|
{% endif %}
|
|
MaxStartups {{ sshd_max_startups }}
|
|
|
|
# --- Per-source rate limiting (OpenSSH 8.5+) ---
|
|
{% if openssh_version >= 8.5 %}
|
|
{% if sshd_per_source_max_startups %}
|
|
PerSourceMaxStartups {{ sshd_per_source_max_startups }}
|
|
{% endif %}
|
|
{% if sshd_per_source_net_block_size %}
|
|
PerSourceNetBlockSize {{ sshd_per_source_net_block_size }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# --- Penalty-based rate limiting (OpenSSH 9.8+) ---
|
|
# Supported on: EL 10+, Ubuntu 25.04+, Debian Trixie+
|
|
{% if openssh_version >= 9.8 %}
|
|
{% if sshd_per_source_penalties %}
|
|
PerSourcePenalties {{ sshd_per_source_penalties }}
|
|
{% endif %}
|
|
{% if sshd_per_source_penalty_exempt_list %}
|
|
PerSourcePenaltyExemptList {{ sshd_per_source_penalty_exempt_list }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# --- Timeouts (OpenSSH 9.2+) ---
|
|
{% if openssh_version >= 9.2 %}
|
|
{% if sshd_channel_timeout %}
|
|
ChannelTimeout {{ sshd_channel_timeout }}
|
|
{% endif %}
|
|
{% if sshd_unused_connection_timeout %}
|
|
UnusedConnectionTimeout {{ sshd_unused_connection_timeout }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# --- Display ---
|
|
PrintMotd {{ sshd_print_motd }}
|
|
PrintLastLog {{ sshd_print_last_log }}
|
|
Banner {{ sshd_banner_path }}
|
|
|
|
# --- DNS ---
|
|
UseDNS {{ sshd_use_dns }}
|
|
|
|
# --- Environment ---
|
|
AcceptEnv {{ sshd_acceptenv }}
|
|
|
|
# --- Subsystems ---
|
|
{% if sshd_enable_sftp_subsystem %}
|
|
{% if ansible_distribution_file_variety == 'RedHat' %}
|
|
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
{% else %}
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# --- Match Blocks ---
|
|
{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
|
|
# SFTP Chroot Jail
|
|
Match Group {{ sshd_sftp_chroot_match_group }}
|
|
ChrootDirectory {{ sshd_sftp_chroot_directory }}
|
|
ForceCommand {{ sshd_sftp_force_command }}
|
|
PermitTunnel no
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
|
|
{% endif %}
|
|
{% for match in sshd_match_blocks %}
|
|
Match {{ match.criteria }}
|
|
{% for option in match.options %}
|
|
{% for key, value in option.items() %}
|
|
{{ key }} {{ value }}
|
|
{% endfor %}
|
|
{% endfor %}
|
|
|
|
{% endfor %}
|