blob: abcf0d7d32a37a55aec860240eda43c292b80546 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
{{ ansible_managed | comment }}
# Parameters that have sane defaults on Debian 11 are omitted.
{% set ssh_port = hostvars[inventory_hostname].ansible_port %}
{% set ssh_user = hostvars[inventory_hostname].ansible_user %}
{% set groups = [ssh_user] + ssh_allowed_groups %}
{% set groups = groups | sort | unique %}
Port {{ ssh_port }}
# Whitelist users:
PermitRootLogin no
AllowGroups {{ groups | join(' ') }}
# Only public key authentication:
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey
# Whitelist accepted environment variables:
AcceptEnv LANG LC_*
# Drop idle sessions:
ClientAliveCountMax 3
ClientAliveInterval 15
# Miscellaneous:
PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server
|
