149 lines
6.5 KiB
Django/Jinja
149 lines
6.5 KiB
Django/Jinja
# {{ansible_managed}}
|
|
|
|
# This is the ssh client system-wide configuration file.
|
|
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
|
|
#
|
|
# Basic configuration
|
|
# ===================
|
|
|
|
# Address family should always be limited to the active network configuration.
|
|
AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
|
|
|
|
{% for host in ssh_remote_hosts -%}
|
|
{% if loop.first %}
|
|
# Host-specific configuration
|
|
{% endif %}
|
|
Host {{ host.names | join(' ') }}
|
|
{{ host.options | join("\n") | indent(2) }}
|
|
|
|
{% endfor -%}
|
|
|
|
# Global defaults for all Hosts
|
|
Host *
|
|
|
|
# The port at the destination should be defined
|
|
Port {{ ssh_client_port }}
|
|
|
|
# Identity file configuration. You may restrict available identity files. Otherwise ssh will search for a pattern and use any that matches.
|
|
#IdentityFile ~/.ssh/identity
|
|
#IdentityFile ~/.ssh/id_rsa
|
|
#IdentityFile ~/.ssh/id_dsa
|
|
|
|
|
|
# Security configuration
|
|
# ======================
|
|
|
|
# Set the protocol version to 2 for security reasons. Disables legacy support.
|
|
Protocol 2
|
|
|
|
# Make sure passphrase querying is enabled
|
|
BatchMode no
|
|
|
|
# Prevent IP spoofing by checking to host IP against the `known_hosts` file.
|
|
CheckHostIP yes
|
|
|
|
# Always ask before adding keys to the `known_hosts` file. Do not set to `yes`.
|
|
StrictHostKeyChecking ask
|
|
|
|
# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
|
|
# CBC: is true if you want to connect with OpenSSL-base libraries
|
|
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
|
|
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
|
|
#
|
|
{% if ssh_client_cbc_required -%}
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
|
|
Ciphers {{ ssh_ciphers_66_weak | join(',') }}
|
|
{% else -%}
|
|
Ciphers {{ ssh_ciphers_53_weak | join(',') }}
|
|
{% endif %}
|
|
{% else -%}
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
|
|
Ciphers {{ ssh_ciphers_66_default | join(',') }}
|
|
{% else -%}
|
|
Ciphers {{ ssh_ciphers_53_default | join(',') }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
|
|
# Weak HMAC is sometimes required if older package versions are used
|
|
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
|
|
#
|
|
{% if ssh_client_weak_hmac -%}
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
|
|
MACs {{ ssh_macs_66_weak | join(',') }}
|
|
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
|
|
MACs {{ ssh_macs_53_default | join(',') }}
|
|
{% endif %}
|
|
{% else -%}
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
|
|
MACs {{ ssh_macs_66_default | join(',') }}
|
|
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
|
|
MACs {{ ssh_macs_53_default | join(',') }}
|
|
{% else -%}
|
|
MACs {{ ssh_macs_59_default | join(',') }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# Alternative setting, if OpenSSH version is below v5.9
|
|
#MACs hmac-ripemd160
|
|
|
|
# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
|
|
# Weak kex is sometimes required if older package versions are used
|
|
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
|
|
#
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
|
|
{% if ssh_client_weak_kex -%}
|
|
KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
|
|
{% else -%}
|
|
KexAlgorithms {{ ssh_kex_66_default | join(',') }}
|
|
{% endif %}
|
|
{% else -%}
|
|
{% if ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
|
|
#KexAlgorithms
|
|
{% elif ssh_client_weak_kex -%}
|
|
KexAlgorithms {{ ssh_kex_59_weak | join(',') }}
|
|
{% else -%}
|
|
KexAlgorithms {{ ssh_kex_59_default | join(',') }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
|
|
# Disable agent forwarding, since local agent could be accessed through forwarded connection.
|
|
ForwardAgent no
|
|
|
|
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
|
|
ForwardX11 no
|
|
|
|
# Never use host-based authentication. It can be exploited.
|
|
HostbasedAuthentication no
|
|
RhostsRSAAuthentication no
|
|
|
|
# Enable RSA authentication via identity files.
|
|
RSAAuthentication yes
|
|
|
|
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
|
|
PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
|
|
|
|
# Only use GSSAPIAuthentication if implemented on the network.
|
|
GSSAPIAuthentication no
|
|
GSSAPIDelegateCredentials no
|
|
|
|
# Disable tunneling
|
|
Tunnel no
|
|
|
|
# Disable local command execution.
|
|
PermitLocalCommand no
|
|
|
|
|
|
# Misc. configuration
|
|
# ===================
|
|
|
|
# Enable compression. More pressure on the CPU, less on the network.
|
|
Compression yes
|
|
|
|
#EscapeChar ~
|
|
#VisualHostKey yes
|
|
|
|
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
|
|
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
|