diff options
Diffstat (limited to 'templates/sshd_config/CentOS.erb')
-rw-r--r-- | templates/sshd_config/CentOS.erb | 192 |
1 files changed, 192 insertions, 0 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb new file mode 100644 index 0000000..6a16d77 --- /dev/null +++ b/templates/sshd_config/CentOS.erb @@ -0,0 +1,192 @@ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any +#Protocol 2,1 +Protocol 2 +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> +UsePAM no +<%- end %> + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +#X11Forwarding no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> |