-
Adam Lewenberg authoredAdam Lewenberg authored
sshd_config.erb 3.93 KiB
# sshd server configuration file, allowing root. -*- conf -*-
#
# This sshd configuration permits root logins provided that they're done via
# GSS-API. It will eventually become the default. The default configuration
# values that we don't change are omitted from this file.
<%-
# Split the ports at the commas.
ports = @listen_ports.split(',')
ports.each do |port|
-%>
Port <%= port %>
<%-
end
-%>
<%-
if (@listen_addresses != 'all')
# Split the addresses at the commas.
addresses = @listen_addresses.split(',')
addresses.each do |address|
-%>
ListenAddress <%= address %>
<%-
end
-%>
<%-
end
-%>
# Only support protocol version 2.
Protocol 2
# Only support RSA keys, not DSA keys.
HostKey /etc/ssh/ssh_host_rsa_key
<% if @ed25519 then -%>
# Also support Ed25519 host keys.
HostKey /etc/ssh/ssh_host_ed25519_key
<% end -%>
# Increase the login grace period from 120 seconds to 300 seconds (5 minutes).
LoginGraceTime 300
# Prevent attackers from running long password guessing attacks.
MaxAuthTries <%= @max_tries %>
<% if @osfamily == 'RedHat' then -%>
# Some Red Hat systems are old enough that this has to be explicitly enabled.
UsePrivilegeSeparation yes
<% end -%>
# Disable all forms of host-based and public key authentication by default,
# since we use GSS-API (or passwords).
IgnoreRhosts yes
RSAAuthentication no
PubkeyAuthentication <%= @pubkey ? 'yes' : 'no' %>
RhostsRSAAuthentication no
HostbasedAuthentication <%= @hostbased ? 'yes' : 'no' %>
# Allow password authentication via PAM, but not empty passwords.
ChallengeResponseAuthentication yes
PasswordAuthentication <%= @password ? 'yes' : 'no' %>
UsePAM yes
PermitEmptyPasswords no
# Enable GSS-API authentication. Eventually (squeeze and later) we will want
# to add GSSAPIStoreCredentialsOnRekey yes.
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes