# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
# use default values for
# - KexAlgorithms
# - Ciphers
# - MACs
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is “yes”.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
# other remote hosts from connecting to forwarded ports.
#
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
# no to force remote port forwardings to be available to the local host only, yes to force
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
# client to select the address to which the forwarding is bound. The default is no.
#GatewayPorts {{ sshd_gateway_ports }}
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
