aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/roles/sshd/templates/sshd_config.j2
blob: abcf0d7d32a37a55aec860240eda43c292b80546 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
{{ ansible_managed | comment }}

# Parameters that have sane defaults on Debian 11 are omitted.

{% set ssh_port = hostvars[inventory_hostname].ansible_port %}
{% set ssh_user = hostvars[inventory_hostname].ansible_user %}

{% set groups = [ssh_user] + ssh_allowed_groups %}
{% set groups = groups | sort | unique %}

Port {{ ssh_port }}

# Whitelist users:
PermitRootLogin no
AllowGroups {{ groups | join(' ') }}

# Only public key authentication:
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey

# Whitelist accepted environment variables:
AcceptEnv LANG LC_*

# Drop idle sessions:
ClientAliveCountMax 3
ClientAliveInterval 15

# Miscellaneous:
PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server