aboutsummaryrefslogtreecommitdiff
path: root/templates/sshd_config/CentOS.erb
diff options
context:
space:
mode:
Diffstat (limited to 'templates/sshd_config/CentOS.erb')
-rw-r--r--templates/sshd_config/CentOS.erb108
1 files changed, 55 insertions, 53 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 1e060cb..fcaf4d6 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -10,19 +10,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless sshd_port.to_s.empty? then %>
+<%- unless sshd_port.to_s.empty? then -%>
Port <%= sshd_port %>
-<%- else %>
-Port 22
-<%- end %>
+<%- else -%>
+#Port 22
+<%- end -%>
+#Protocol 2,1
+Protocol 2
+#AddressFamily any
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
-#AddressFamily any
-#Protocol 2,1
-Protocol 2
+
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
@@ -42,49 +43,49 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
-<%- unless sshd_permit_root_login.to_s.empty? then %>
+<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login %>
-<%- else %>
+<%- else -%>
PermitRootLogin without-password
-<%- end %>
+<%- end -%>
-<%- if sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
-<%- else %>
+<%- else -%>
StrictModes no
-<%- end %>
+<%- end -%>
#MaxAuthTries 6
-<%- if sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
-<%- else %>
+<%- else -%>
RSAAuthentication no
-<%- end %>
+<%- end -%>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
-<%- else %>
+<%- else -%>
PubkeyAuthentication no
-<%- end %>
+<%- end -%>
-<%- unless sshd_authorized_keys_file.to_s.empty? then %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else %>
+<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end %>
+<%- end -%>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
-<%- else %>
+<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
-<%- else %>
+<%- else -%>
HostbasedAuthentication no
<% end -%>
@@ -93,32 +94,32 @@ HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
-<%- else %>
+<%- else -%>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
-<%- else %>
+<%- else -%>
PasswordAuthentication no
-<%- end %>
+<%- end -%>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
-<%- else %>
+<%- else -%>
ChallengeResponseAuthentication no
-<%- end %>
+<%- end -%>
# Kerberos options
#KerberosAuthentication no
@@ -139,30 +140,30 @@ ChallengeResponseAuthentication no
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
-<%- if sshd_use_pam.to_s == 'yes' then %>
+<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
-<%- else %>
+<%- else -%>
UsePAM no
-<%- end %>
+<%- end -%>
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
-<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
-<%- else %>
+<%- else -%>
AllowTcpForwarding no
-<%- end %>
+<%- end -%>
#GatewayPorts no
#X11Forwarding no
-<%- if sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
-<%- else %>
+<%- else -%>
X11Forwarding no
-<%- end %>
+<%- end -%>
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -179,26 +180,27 @@ X11Forwarding no
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
+#ChrootDirectory none
# no default banner path
#Banner /some/path
# override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
+<%- if sshd_sftp_subsystem.to_s.empty? then -%>
Subsystem sftp /usr/libexec/openssh/sftp-server
-<%- else %>
+<%- else -%>
Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+<%- end -%>
-<%- unless sshd_allowed_users.to_s.empty? then %>
+<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users %>
-<%- end %>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
+<%- end -%>
+<%- unless sshd_allowed_groups.to_s.empty? then -%>
AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
+<%- end -%>
-<%- unless sshd_additional_options.to_s.empty? then %>
+<%- unless sshd_additional_options.to_s.empty? then -%>
<%= sshd_additional_options %>
-<%- end %>
+<%- end -%>