diff options
Diffstat (limited to 'roles/ssh-ldap/templates/sshd_config')
| -rw-r--r-- | roles/ssh-ldap/templates/sshd_config | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/roles/ssh-ldap/templates/sshd_config b/roles/ssh-ldap/templates/sshd_config index a6bfa67a..9fffbf14 100644 --- a/roles/ssh-ldap/templates/sshd_config +++ b/roles/ssh-ldap/templates/sshd_config @@ -3,7 +3,7 @@ # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for -Port 22 +Port {{ sshd_port }} # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 @@ -14,11 +14,11 @@ HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security -UsePrivilegeSeparation yes +#UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 +#KeyRegenerationInterval 3600 +#ServerKeyBits 1024 # Logging SyslogFacility AUTH @@ -29,14 +29,15 @@ LoginGraceTime 120 PermitRootLogin without-password StrictModes yes -RSAAuthentication yes +#RSAAuthentication yes PubkeyAuthentication yes +PubkeyAcceptedKeyTypes +ssh-dss #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no +#RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication @@ -49,10 +50,9 @@ PermitEmptyPasswords no # some PAM modules and threads) ChallengeResponseAuthentication no -{%if inventory_hostname not in groups['jenkins_slaves']%} -# Password prompt required for legacy buildslave user +# Require ssh keys is now a policy. If anything is still relying on +# an account password it's a bug and needs to be fixed. PasswordAuthentication no -{%endif%} # Kerberos options #KerberosAuthentication no @@ -92,7 +92,7 @@ UsePAM yes AuthorizedKeysCommandUser root AuthorizedKeysCommand /srv/linaro-git-tools/ssh_keys.py -AllowGroups {%for group in login_groups%}{{group}} {%endfor%} +AllowGroups {%for group in login_groups%}{{group}} {%endfor%}{%if local_user_group is defined%}{{ local_user_groupĀ }}{%endif%} {%if inventory_hostname == '188.40.49.144'%} #x86_64-08 DenyUsers nexus |