diff options
-rw-r--r-- | README.md | 137 |
1 files changed, 55 insertions, 82 deletions
@@ -85,130 +85,103 @@ The following is a list of the currently available variables: - `listen_address` specify the addresses sshd should listen on set this to `['10.0.0.1', '192.168.0.1']` to have it listen on both addresses, or leave it unset to listen on all Default: empty -> results in listening on `0.0.0.0` - - `allowed_users` list of usernames separated by spaces. set this for example to `"foobar root"` to ensure that only user foobar and root might login. Default: empty -> no restriction is set - - `allowed_groups` list of groups separated by spaces. set this for example to `"wheel sftponly"` to ensure that only users in the groups wheel and sftponly might login. Default: empty -> no restriction is set Note: This is set after `allowed_users`, take care of the behaviour if you use these 2 options together. - - `use_pam` if you want to use pam or not for authenticaton. Values: - `no` (default) - `yes` - - `permit_root_login` If you want to allow root logins or not. Valid values: - `yes` - `no` - `without-password` (default) - `forced-commands-only` - - `password_authentication` - If you want to enable password authentication or not. Valid values: `yes` or - `no`; Default: `no` - + If you want to enable password authentication or not. Valid values: + - `yes` + - `no` (default) - `kerberos_authentication` If you want the password that is provided by the user to be validated through the Kerberos KDC. To use this option the server needs a Kerberos servtab which allows the verification of the KDC's identity. Valid values: - `yes` or `no`; Default: `no` - - - `kerberos_orlocalpasswd` - If password authentication through Kerberos fails, then the password will be - validated via any additional local mechanism. Valid values: `yes` or `no`; - Default: `yes` - - - `kerberos_ticketcleanup` - Destroy the user's ticket cache file on logout? Valid values: `yes` or `no`; - Default: `yes` - - - `gssapi_authentication` - Authenticate users based on GSSAPI? Valid values: `yes` or `no`; Default: `no` - - - `gssapi_cleanupcredentials` - Destroy user's credential cache on logout? Valid values: `yes` or `no`; Default: - `yes` - - - `challenge_response_authentication` - If you want to enable ChallengeResponseAuthentication or not When disabled, - s/key passowords are disabled Valid values: `yes` or `no`; Default: `no` - - - `tcp_forwarding` - If you want to enable TcpForwarding. Valid Values: `yes` or `no`; Default: `no` - - - `x11_forwarding` - If you want to enable x11 forwarding. Valid Values: `yes` or `no`; Default: `no` - - - `agent_forwarding` - If you want to allow ssh-agent forwarding. Valid Values: `yes` or `no`; Default: - `no` - - - `pubkey_authentication` - If you want to enable public key authentication. Valid Values: `yes` or `no`; - Default: `yes` - - - `rsa_authentication` - If you want to enable RSA Authentication. Valid Values: `yes` or `no`; Default: - `no` - + - `yes` + - `no` (default) + - `kerberos_orlocalpasswd` If password authentication through Kerberos fails, then the password will be validated via any additional local mechanism. Valid values: + - `yes` (default) + - `no` + - `kerberos_ticketcleanup` Destroy the user's ticket cache file on logout? Valid values: + - `yes` (default) + - `no` + - `gssapi_authentication` Authenticate users based on GSSAPI? Valid values: + - `yes` + - `no` (default) + - `gssapi_cleanupcredentials` Destroy user's credential cache on logout? Valid values: + - `yes` (default) + - `no` + - `challenge_response_authentication` If you want to enable ChallengeResponseAuthentication or not When disabled, s/key passwords are disabled. Valid values: + - `yes` + - `no` (default) + - `tcp_forwarding` If you want to enable TcpForwarding. Valid values: + - `yes` + - `no` (default) + - `x11_forwarding` If you want to enable x11 forwarding. Valid values: + - `yes` + - `no` (default) + - `agent_forwarding` If you want to allow ssh-agent forwarding. Valid values: + - `yes` + - `no` (default) + - `pubkey_authentication` If you want to enable public key authentication. Valid values: + - `yes` (default) + - `no` + - `rsa_authentication` If you want to enable RSA Authentication. Valid values: + - `yes` + - `no` (default) - `rhosts_rsa_authentication` - If you want to enable rhosts RSA Authentication. Valid Values: `yes` or `no`; - Default: `no` - - - `hostbased_authentication` - If you want to enable `HostbasedAuthentication`. Valid Values: `yes` or `no`; - Default: `no` - - - `strict_modes` - If you want to set `StrictModes` (check file modes/ownership before accepting - login). Valid Values: `yes` or `no`; Default: yes - + If you want to enable rhosts RSA Authentication. Valid values: + - `yes` + - `no` (default) + - `hostbased_authentication` If you want to enable `HostbasedAuthentication`. Valid values: + - `yes` + - `no` (default) + - `strict_modes` If you want to set `StrictModes` (check file modes/ownership before accepting login). Valid values: + - `yes` (default) + - `no` - `permit_empty_passwords` If you want enable PermitEmptyPasswords to allow empty passwords. Valid - Values: `yes` or `no`; Default: `no` - - - `ports` - If you want to specify a list of ports other than the default `22`; Default: - `[22]` - + Values: + - `yes` + - `no` (default) + - `ports` If you want to specify a list of ports other than the default `22`; Default: `[22]` - `authorized_keys_file` Set this to the location of the AuthorizedKeysFile (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile %h/.ssh/authorized_keys` - - `hardened_ssl` Use only strong SSL ciphers and MAC. - Values: `no` or `yes`; Default: `no`. - + Values: + - `no` (default) + - `yes` - `print_motd` Show the Message of the day when a user logs in. - - `sftp_subsystem` Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default - - `head_additional_options` Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the beginning of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. - - - `tail_additional_options` - - Set this to any additional sshd_options which aren't listed above. Anything - set here will be added to the end of the sshd_config file. This option might - be useful to define complicated Match Blocks. This string is going to be - included, like it is defined. So take care! Default: empty -> not added. - - - `shared_ip` - Whether the server uses a shared network IP address. If it does, then we - don't want it to export an rsa key for its IP address. - Values: `no` or `yes`; Default: `no` + - `tail_additional_options` Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the end of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. + - `shared_ip` Whether the server uses a shared network IP address. If it does, then we don't want it to export an rsa key for its IP address. Values: + - `no` (default) + - `yes` ### Defines and functions |