projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
776f8d5
)
sshd_config: remove commented out options and options where we just use the default...
author
Peter Palfrader
<peter@palfrader.org>
Fri, 2 Feb 2018 09:31:01 +0000
(10:31 +0100)
committer
Peter Palfrader
<peter@palfrader.org>
Fri, 2 Feb 2018 09:31:01 +0000
(10:31 +0100)
modules/ssh/templates/sshd_config.erb
patch
|
blob
|
history
diff --git
a/modules/ssh/templates/sshd_config.erb
b/modules/ssh/templates/sshd_config.erb
index
9b49f2f
..
4b591fe
100644
(file)
--- a/
modules/ssh/templates/sshd_config.erb
+++ b/
modules/ssh/templates/sshd_config.erb
@@
-3,10
+3,6
@@
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-# Package generated configuration file
-# See the sshd(8) manpage for details
-
-# What ports, IPs and protocols we listen for
Port 22
<%= extraports = case @fqdn
when "paradis.debian.org" then "
Port 22
<%= extraports = case @fqdn
when "paradis.debian.org" then "
@@
-19,63
+15,23
@@
ListenAddress [2001:41c8:1000:21::21:31]:443
extraports
%>
# Use these options to restrict which interfaces/protocols sshd will bind to
extraports
%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
Protocol 2
Protocol 2
-# HostKeys for protocol version 2
+
HostKey /etc/ssh/ssh_host_rsa_key
<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%>
HostKey /etc/ssh/ssh_host_ed25519_key
<% end %>
HostKey /etc/ssh/ssh_host_rsa_key
<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%>
HostKey /etc/ssh/ssh_host_ed25519_key
<% end %>
-#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
UsePrivilegeSeparation yes
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
# Authentication:
# Authentication:
-LoginGraceTime 120
PermitRootLogin without-password
PermitRootLogin without-password
-StrictModes yes
-
-PubkeyAuthentication yes
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
ChallengeResponseAuthentication no
ChallengeResponseAuthentication no
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
PrintMotd no
PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
#MaxStartups 10:30:60
#MaxStartups 10:30:60
-#Banner /etc/issue.net
-# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server