diff options
Diffstat (limited to 'templates/sshd_config/CentOS.erb')
| -rw-r--r-- | templates/sshd_config/CentOS.erb | 97 |
1 files changed, 46 insertions, 51 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index bc5256a..a253029 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -28,9 +28,7 @@ Port 22 <% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> -#AddressFamily any -#Protocol 2,1 -Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 @@ -50,49 +48,49 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless sshd_permit_root_login.to_s.empty? then %> +<%- unless sshd_permit_root_login.to_s.empty? then -%> PermitRootLogin <%= sshd_permit_root_login %> -<%- else %> +<%- else -%> PermitRootLogin without-password -<%- end %> +<%- end -%> -<%- if sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes -<%- else %> +<%- else -%> StrictModes no -<%- end %> +<%- end -%> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes -<%- else %> +<%- else -%> RSAAuthentication no -<%- end %> +<%- end -%> -<%- if sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes -<%- else %> +<%- else -%> PubkeyAuthentication no -<%- end %> +<%- end -%> -<%- unless sshd_authorized_keys_file.to_s.empty? then %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else %> +<%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> +<%- end -%> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes -<%- else %> +<%- else -%> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes -<%- else %> +<%- else -%> HostbasedAuthentication no <% end -%> @@ -101,32 +99,32 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes -<%- else %> +<%- else -%> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes -<%- else %> +<%- else -%> PasswordAuthentication no -<%- end %> +<%- end -%> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes -<%- else %> +<%- else -%> ChallengeResponseAuthentication no -<%- end %> +<%- end -%> # Kerberos options #KerberosAuthentication no @@ -136,9 +134,7 @@ ChallengeResponseAuthentication no # GSSAPI options #GSSAPIAuthentication no -GSSAPIAuthentication yes #GSSAPICleanupCredentials yes -GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -149,30 +145,30 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes -<%- else %> +<%- else -%> UsePAM no -<%- end %> +<%- end -%> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes -<%- else %> +<%- else -%> AllowTcpForwarding no -<%- end %> +<%- end -%> #GatewayPorts no #X11Forwarding no -<%- if sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes -<%- else %> +<%- else -%> X11Forwarding no -<%- end %> +<%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -189,26 +185,25 @@ X11Forwarding no #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no +#ChrootDirectory none # no default banner path #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> +<%- if sshd_sftp_subsystem.to_s.empty? then -%> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- else %> +<%- else -%> Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +<%- end -%> -<%- unless sshd_allowed_users.to_s.empty? then %> +<%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then -%> AllowGroups <%= sshd_allowed_groups %> -<%- end %> - +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - |