125 lines
4.4 KiB
Django/Jinja
125 lines
4.4 KiB
Django/Jinja
# {{ansible_managed|comment}}
|
|
|
|
# This is the ssh client system-wide configuration file.
|
|
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
|
|
|
|
{% if ssh_custom_options -%}
|
|
# Custom configuration that overwrites default configuration
|
|
# ==========================================================
|
|
{% for line in ssh_custom_options %}
|
|
{{ line }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# Basic configuration
|
|
# ===================
|
|
|
|
# Address family should always be limited to the active network configuration.
|
|
AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
|
|
|
|
{% for host in ssh_remote_hosts -%}
|
|
{% if loop.first %}
|
|
# Host-specific configuration
|
|
{% endif %}
|
|
Host {{ host.names | join(' ') }}
|
|
{{ host.options | join("\n") | indent(2) }}
|
|
|
|
{% endfor -%}
|
|
|
|
# Global defaults for all Hosts
|
|
Host *
|
|
|
|
# The port at the destination should be defined
|
|
Port {{ ssh_client_port }}
|
|
|
|
# Identity file configuration. You may restrict available identity files. Otherwise ssh will search for a pattern and use any that matches.
|
|
#IdentityFile ~/.ssh/identity
|
|
#IdentityFile ~/.ssh/id_rsa
|
|
#IdentityFile ~/.ssh/id_dsa
|
|
|
|
|
|
# Security configuration
|
|
# ======================
|
|
|
|
# Set the protocol version to 2 for security reasons. Disables legacy support.
|
|
Protocol 2
|
|
|
|
# Make sure passphrase querying is enabled
|
|
BatchMode no
|
|
|
|
# Prevent IP spoofing by checking to host IP against the `known_hosts` file.
|
|
CheckHostIP yes
|
|
|
|
# Always ask before adding keys to the `known_hosts` file. Do not set to `yes`.
|
|
StrictHostKeyChecking ask
|
|
|
|
|
|
# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
|
|
# CBC: is true if you want to connect with OpenSSL-base libraries
|
|
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
|
|
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
|
|
#
|
|
|
|
{# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #}
|
|
{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }}
|
|
|
|
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
|
|
# Weak HMAC is sometimes required if older package versions are used
|
|
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
|
|
#
|
|
|
|
{# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #}
|
|
{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }}
|
|
|
|
# Alternative setting, if OpenSSH version is below v5.9
|
|
#MACs hmac-ripemd160
|
|
|
|
# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
|
|
# Weak kex is sometimes required if older package versions are used
|
|
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
|
|
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
|
|
|
{# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #}
|
|
{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }}
|
|
|
|
# Disable agent forwarding, since local agent could be accessed through forwarded connection.
|
|
ForwardAgent no
|
|
|
|
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
|
|
ForwardX11 no
|
|
|
|
# Never use host-based authentication. It can be exploited.
|
|
HostbasedAuthentication no
|
|
{% if sshd_version is version('7.6', '<') %}
|
|
RhostsRSAAuthentication no
|
|
# Enable RSA authentication via identity files.
|
|
RSAAuthentication yes
|
|
{% endif %}
|
|
|
|
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
|
|
PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
|
|
|
|
# Only use GSSAPIAuthentication if implemented on the network.
|
|
GSSAPIAuthentication no
|
|
GSSAPIDelegateCredentials no
|
|
|
|
# Disable tunneling
|
|
Tunnel no
|
|
|
|
# Disable local command execution.
|
|
PermitLocalCommand no
|
|
|
|
|
|
# Misc. configuration
|
|
# ===================
|
|
|
|
# Enable compression. More pressure on the CPU, less on the network.
|
|
Compression yes
|
|
|
|
#EscapeChar ~
|
|
#VisualHostKey yes
|
|
|
|
{% if sshd_version is version('7.1', '<=') %}
|
|
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
|
|
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
|
|
{% endif %}
|