75 lines
2.1 KiB
Text
75 lines
2.1 KiB
Text
# TCP port to bind to
|
|
# Change to a high/odd port if this server is exposed to the internet directly
|
|
Port {{ ssh_port }}
|
|
|
|
AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %}
|
|
|
|
# Bind to all interfaces (change to specific interface if needed)
|
|
ListenAddress 0.0.0.0
|
|
|
|
# Force SSHv2 Protocol
|
|
Protocol 2
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
# Public key authentication + Password authentication
|
|
# Two-Factor Authentication in OpenSSH v6.2+
|
|
PubkeyAuthentication yes
|
|
AuthenticationMethods publickey
|
|
|
|
# Disable root SSH access
|
|
PermitRootLogin no
|
|
|
|
# Client timeout
|
|
ClientAliveInterval 60
|
|
ClientAliveCountMax 100
|
|
|
|
# Compression (only after authentication)
|
|
Compression delayed
|
|
|
|
# Logging
|
|
SyslogFacility AUTH
|
|
LogLevel INFO
|
|
|
|
# Authentication must happen within 30 seconds
|
|
LoginGraceTime 30
|
|
|
|
PermitEmptyPasswords no
|
|
|
|
# Check user folder permissions before allowing access
|
|
StrictModes yes
|
|
|
|
# Message Authentication Code (Hash, only SHA2-512)
|
|
# SHA-256 included for compat with PuTTY-WinCrypt clients
|
|
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
|
|
|
|
# Ciphers (only secure AES-256)
|
|
Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
|
|
|
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
|
|
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
|
|
KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
|
|
|
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
IgnoreRhosts yes
|
|
|
|
# Disable unused authentication schemes
|
|
HostbasedAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
KerberosAuthentication no
|
|
GSSAPIAuthentication no
|
|
UsePAM no
|
|
|
|
# X11 support
|
|
X11Forwarding no
|
|
|
|
# Don't show Message of the Day
|
|
PrintMotd yes
|
|
|
|
# TCPKeepAlive (non-tunneled, disabled)
|
|
TCPKeepAlive no
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
Subsystem sftp internal-sftp
|