From 30d3ea60c1ff398ef4bdb2d37e669d819a757ee9 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 2 Feb 2018 10:31:01 +0100 Subject: [PATCH 1/1] sshd_config: remove commented out options and options where we just use the default value (according to the stretch manpage) --- modules/ssh/templates/sshd_config.erb | 46 +-------------------------- 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 9b49f2fc8..4b591fef0 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -3,10 +3,6 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for Port 22 <%= extraports = case @fqdn when "paradis.debian.org" then " @@ -19,63 +15,23 @@ ListenAddress [2001:41c8:1000:21::21:31]:443 extraports %> # Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 Protocol 2 -# HostKeys for protocol version 2 + HostKey /etc/ssh/ssh_host_rsa_key <%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%> HostKey /etc/ssh/ssh_host_ed25519_key <% end %> -#Privilege Separation is turned on for security UsePrivilegeSeparation yes -# Logging -SyslogFacility AUTH -LogLevel INFO - # Authentication: -LoginGraceTime 120 PermitRootLogin without-password -StrictModes yes - -PubkeyAuthentication yes -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding no -X11DisplayOffset 10 PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no #MaxStartups 10:30:60 -#Banner /etc/issue.net -# Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server -- 2.20.1