From 1b5200c805510583a3af6812986c8ef4fbb5c3f6 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Sun, 21 Dec 2014 22:23:02 +0000 Subject: [PATCH] Improve option rendering, allow per OS defaults --- defaults/main.yml | 4 +- meta/macros.j2 | 37 ++----- meta/main.yml | 2 +- meta/make_option_list | 16 +-- meta/ssh_boolean_options | 37 ------- meta/ssh_kv_options | 45 --------- meta/ssh_multi_options | 3 - meta/ssh_options | 85 ++++++++++++++++ tasks/main.yml | 4 + templates/sshd_config.j2 | 206 ++++++++++++++++++--------------------- vars/Debian.yml | 8 +- vars/FreeBSD.yml | 2 +- 12 files changed, 202 insertions(+), 247 deletions(-) delete mode 100644 meta/ssh_boolean_options delete mode 100644 meta/ssh_kv_options delete mode 100644 meta/ssh_multi_options create mode 100644 meta/ssh_options diff --git a/defaults/main.yml b/defaults/main.yml index d6e600a..020312d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,5 +4,5 @@ sshd_group: root sshd_binary: /usr/sbin/sshd sshd_config_file: /etc/ssh/sshd_config sshd_service: sshd -sshd_force_sftp: true -sshd: {} +sshd_sftp_server: /usr/lib/openssh/sftp-server +sshd: "{{ sshd_defaults }}" diff --git a/meta/macros.j2 b/meta/macros.j2 index 0bd18ef..2338e58 100644 --- a/meta/macros.j2 +++ b/meta/macros.j2 @@ -1,12 +1,16 @@ # {{ ansible_managed }} -{% macro sshd_multiline(key,override) %} +{% macro render_option(key,override) %} {% if override is defined %} {% set value = override %} {% elif sshd[key] is defined %} {% set value = sshd[key] %} {% endif %} {% if value is defined %} -{% if value is string %} +{% if value is sameas true %} +{{ key }} yes +{% elif value is sameas false %} +{{ key }} no +{% elif value is string or value is number %} {{ key }} {{ value }} {% else %} {% for i in value %} @@ -15,32 +19,3 @@ {% endif %} {% endif %} {% endmacro %} -{% macro sshd_boolean(key,override) %} -{% if override is defined %} -{% set value = override %} -{% elif sshd[key] is defined %} -{% set value = sshd[key] %} -{% endif %} -{% if value is defined %} -{% if value == true %} -{{ key }} yes -{% elif value == false %} -{{ key }} no -{% else %} -{{ key }} {{ value }} -{% endif %} -{% endif %} -{% endmacro %} -{% macro sshd_value(key,override) %} -{% if override is defined %} -{% set value = override %} -{% elif sshd[key] is defined %} -{% set value = sshd[key] %} -{% endif %} -{% if value is defined %} -{{ key }} {{ value }} -{% endif %} -{% endmacro %} -{% if sshd_force_sftp == true %} -Subsystem sftp {{ sshd_sftp_server }} -{% endif %} diff --git a/meta/main.yml b/meta/main.yml index 7289aec..5c41c85 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Matt Willsher description: OpenSSH Deamon configuration company: Willsher Systems - license: MIT + license: MIT min_ansible_version: 1.8 platforms: - name: Ubuntu diff --git a/meta/make_option_list b/meta/make_option_list index fb9fbc0..2ff821f 100755 --- a/meta/make_option_list +++ b/meta/make_option_list @@ -1,20 +1,8 @@ #!/bin/sh cat macros.j2 -cat ssh_multi_options | +cat ssh_options | sort | awk '{ -print "{{ sshd_multiline(\""$1"\",sshd_"$1") -}}" -}' - -cat ssh_kv_options | - sort | - awk '{ -print "{{ sshd_value(\""$1"\",sshd_"$1") -}}" -}' - -cat ssh_boolean_options | - sort | - awk '{ -print "{{ sshd_boolean(\""$1"\",sshd_"$1") -}}" +print "{{ render_option(\""$1"\",sshd_"$1") -}}" }' diff --git a/meta/ssh_boolean_options b/meta/ssh_boolean_options deleted file mode 100644 index bcc9a32..0000000 --- a/meta/ssh_boolean_options +++ /dev/null @@ -1,37 +0,0 @@ -AllowAgentForwarding -AllowTcpForwarding -ChallengeResponseAuthentication -Compression -GatewayPorts -GSSAPICleanupCredentials -GSSAPIStrictAcceptorCheck -GSSAPIStoreCredentialsOnRekey -HostbasedAuthentication -HostbasedUsesNameFromPacketOnly -IgnoreRhosts -IgnoreUserKnownHosts -KerberosAuthentication -KerberosGetAFSToken -KerberosOrLocalPasswd -KerberosTicketCleanup -PasswordAuthentication -PermitEmptyPasswords -PermitRootLogin -PermitTunnel -PermitUserEnvironment -PrintLastLog -PrintMotd -PubkeyAuthentication -RhostsRSAAuthentication -RSAAuthentication -StrictModes -TCPKeepAlive -UseDNS -UseLogin -UsePAM -UsePrivilegeSeparation -X11Forwarding -X11UseLocalhost -HPNDisabled -TcpRcvBufPoll -NoneEnabled diff --git a/meta/ssh_kv_options b/meta/ssh_kv_options deleted file mode 100644 index 69c396f..0000000 --- a/meta/ssh_kv_options +++ /dev/null @@ -1,45 +0,0 @@ -AcceptEnv -AddressFamily -AllowGroups -AllowUsers -AuthenticationMethods -AuthorizedKeysCommand -AuthorizedKeysCommandUser -AuthorizedKeysFile -AuthorizedPrincipalsFile -Banner -ChrootDirectory -Ciphers -ClientAliveCountMax -ClientAliveInterval -DenyGroups -DenyUsers -ForceCommand -GSSAPIAuthentication -GSSAPIKeyExchange -HostCertificate -HostKeyAgent -IPQoS -KbdInteractiveAuthentication -KexAlgorithms -KeyRegenerationInterval -LoginGraceTime -LogLevel -MACs -MaxAuthTries -MaxSessions -MaxStartups -PermitOpen -PermitTTY -PidFile -Port -Protocol -RekeyLimit -RevokedKeys -ServerKeyBits -SyslogFacility -TrustedUserCAKeys -VersionAddendum -X11DisplayOffset -XAuthLocation -HPNBufferSize diff --git a/meta/ssh_multi_options b/meta/ssh_multi_options deleted file mode 100644 index 17fc4a6..0000000 --- a/meta/ssh_multi_options +++ /dev/null @@ -1,3 +0,0 @@ -HostKey -ListenAddress -Subsystem diff --git a/meta/ssh_options b/meta/ssh_options new file mode 100644 index 0000000..30b46c8 --- /dev/null +++ b/meta/ssh_options @@ -0,0 +1,85 @@ +AcceptEnv +AddressFamily +AllowAgentForwarding +AllowGroups +AllowTcpForwarding +AllowUsers +AuthenticationMethods +AuthorizedKeysCommand +AuthorizedKeysCommandUser +AuthorizedKeysFile +AuthorizedPrincipalsFile +Banner +ChallengeResponseAuthentication +ChrootDirectory +Ciphers +ClientAliveCountMax +ClientAliveInterval +Compression +DenyGroups +DenyUsers +ForceCommand +GSSAPIAuthentication +GSSAPICleanupCredentials +GSSAPIKeyExchange +GSSAPIStoreCredentialsOnRekey +GSSAPIStrictAcceptorCheck +GatewayPorts +HPNBufferSize +HPNDisabled +HostCertificate +HostKey +HostKeyAgent +HostbasedAuthentication +HostbasedUsesNameFromPacketOnly +IPQoS +IgnoreRhosts +IgnoreUserKnownHosts +KbdInteractiveAuthentication +KerberosAuthentication +KerberosGetAFSToken +KerberosOrLocalPasswd +KerberosTicketCleanup +KexAlgorithms +KeyRegenerationInterval +ListenAddress +LogLevel +LoginGraceTime +MACs +MaxAuthTries +MaxSessions +MaxStartups +NoneEnabled +PasswordAuthentication +PermitEmptyPasswords +PermitOpen +PermitRootLogin +PermitTTY +PermitTunnel +PermitUserEnvironment +PidFile +Port +PrintLastLog +PrintMotd +Protocol +PubkeyAuthentication +RSAAuthentication +RekeyLimit +RevokedKeys +RhostsRSAAuthentication +ServerKeyBits +StrictModes +Subsystem +SyslogFacility +TCPKeepAlive +TcpRcvBufPoll +TrustedUserCAKeys +UseDNS +UseLogin +UsePAM +UsePrivilegeSeparation +VersionAddendum +X11DisplayOffset +X11Forwarding +X11UseLocalhost +XAuthLocation diff --git a/tasks/main.yml b/tasks/main.yml index fb50cfd..c841d27 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,6 +13,10 @@ state=installed with_items: sshd_packages +- name: Debug config + debug: var=sshd + when: sshd_debug is defined + - name: Configured template: src: sshd_config.j2 diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index cef6159..113d7e9 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -1,124 +1,106 @@ # {{ ansible_managed }} -{% macro sshd_multiline(key,override) %} +{% macro render_option(key,override) %} {% if override is defined %} {% set value = override %} {% elif sshd[key] is defined %} {% set value = sshd[key] %} {% endif %} {% if value is defined %} -{% for i in value %} -{{ key }} {{ i }} -{% endfor %} -{% endif %} -{% endmacro %} -{% macro sshd_boolean(key,override) %} -{% if override is defined %} -{% set value = override %} -{% elif sshd[key] is defined %} -{% set value = sshd[key] %} -{% endif %} -{% if value is defined %} -{% if value == true %} +{% if value is sameas true %} {{ key }} yes -{% elif value == false %} +{% elif value is sameas false %} {{ key }} no -{% else %} +{% elif value is string or value is number %} {{ key }} {{ value }} +{% else %} +{% for i in value %} +{{ key }} {{ i }} +{% endfor %} {% endif %} {% endif %} -{% endmacro -%} -{% macro sshd_value(key,override) -%} -{% if override is defined -%} -{% set value = override -%} -{% elif sshd[key] is defined -%} -{% set value = sshd[key] -%} -{% endif -%} -{% if value is defined -%} -{{ key }} {{ value }} -{% endif -%} -{% endmacro -%} -{{ sshd_multiline("HostKey",sshd_HostKey) }} -{{ sshd_multiline("ListenAddress",sshd_ListenAddress) }} -{{ sshd_multiline("Subsystem",sshd_Subsystem) }} -{{ sshd_value("AcceptEnv",sshd_AcceptEnv) }} -{{ sshd_value("AddressFamily",sshd_AddressFamily) }} -{{ sshd_value("AllowGroups",sshd_AllowGroups) }} -{{ sshd_value("AllowUsers",sshd_AllowUsers) }} -{{ sshd_value("AuthenticationMethods",sshd_AuthenticationMethods) }} -{{ sshd_value("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) }} -{{ sshd_value("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) }} -{{ sshd_value("AuthorizedKeysFile",sshd_AuthorizedKeysFile) }} -{{ sshd_value("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) }} -{{ sshd_value("Banner",sshd_Banner) }} -{{ sshd_value("ChrootDirectory",sshd_ChrootDirectory) }} -{{ sshd_value("Ciphers",sshd_Ciphers) }} -{{ sshd_value("ClientAliveCountMax",sshd_ClientAliveCountMax) }} -{{ sshd_value("ClientAliveInterval",sshd_ClientAliveInterval) }} -{{ sshd_value("DenyGroups",sshd_DenyGroups) }} -{{ sshd_value("DenyUsers",sshd_DenyUsers) }} -{{ sshd_value("ForceCommand",sshd_ForceCommand) }} -{{ sshd_value("GSSAPIAuthentication",sshd_GSSAPIAuthentication) }} -{{ sshd_value("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) }} -{{ sshd_value("HPNBufferSize",sshd_HPNBufferSize) }} -{{ sshd_value("HostCertificate",sshd_HostCertificate) }} -{{ sshd_value("HostKeyAgent",sshd_HostKeyAgent) }} -{{ sshd_value("IPQoS",sshd_IPQoS) }} -{{ sshd_value("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) }} -{{ sshd_value("KexAlgorithms",sshd_KexAlgorithms) }} -{{ sshd_value("KeyRegenerationInterval",sshd_KeyRegenerationInterval) }} -{{ sshd_value("LogLevel",sshd_LogLevel) }} -{{ sshd_value("LoginGraceTime",sshd_LoginGraceTime) }} -{{ sshd_value("MACs",sshd_MACs) }} -{{ sshd_value("MaxAuthTries",sshd_MaxAuthTries) }} -{{ sshd_value("MaxSessions",sshd_MaxSessions) }} -{{ sshd_value("MaxStartups",sshd_MaxStartups) }} -{{ sshd_value("PermitOpen",sshd_PermitOpen) }} -{{ sshd_value("PermitTTY",sshd_PermitTTY) }} -{{ sshd_value("PidFile",sshd_PidFile) }} -{{ sshd_value("Port",sshd_Port) }} -{{ sshd_value("Protocol",sshd_Protocol) }} -{{ sshd_value("RekeyLimit",sshd_RekeyLimit) }} -{{ sshd_value("RevokedKeys",sshd_RevokedKeys) }} -{{ sshd_value("ServerKeyBits",sshd_ServerKeyBits) }} -{{ sshd_value("SyslogFacility",sshd_SyslogFacility) }} -{{ sshd_value("TrustedUserCAKeys",sshd_TrustedUserCAKeys) }} -{{ sshd_value("VersionAddendum",sshd_VersionAddendum) }} -{{ sshd_value("X11DisplayOffset",sshd_X11DisplayOffset) }} -{{ sshd_value("XAuthLocation",sshd_XAuthLocation) }} -{{ sshd_boolean("AllowAgentForwarding",sshd_AllowAgentForwarding) }} -{{ sshd_boolean("AllowTcpForwarding",sshd_AllowTcpForwarding) }} -{{ sshd_boolean("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) }} -{{ sshd_boolean("Compression",sshd_Compression) }} -{{ sshd_boolean("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) }} -{{ sshd_boolean("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) }} -{{ sshd_boolean("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) }} -{{ sshd_boolean("GatewayPorts",sshd_GatewayPorts) }} -{{ sshd_boolean("HPNDisabled",sshd_HPNDisabled) }} -{{ sshd_boolean("HostbasedAuthentication",sshd_HostbasedAuthentication) }} -{{ sshd_boolean("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) }} -{{ sshd_boolean("IgnoreRhosts",sshd_IgnoreRhosts) }} -{{ sshd_boolean("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) }} -{{ sshd_boolean("KerberosAuthentication",sshd_KerberosAuthentication) }} -{{ sshd_boolean("KerberosGetAFSToken",sshd_KerberosGetAFSToken) }} -{{ sshd_boolean("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) }} -{{ sshd_boolean("KerberosTicketCleanup",sshd_KerberosTicketCleanup) }} -{{ sshd_boolean("NoneEnabled",sshd_NoneEnabled) }} -{{ sshd_boolean("PasswordAuthentication",sshd_PasswordAuthentication) }} -{{ sshd_boolean("PermitEmptyPasswords",sshd_PermitEmptyPasswords) }} -{{ sshd_boolean("PermitRootLogin",sshd_PermitRootLogin) }} -{{ sshd_boolean("PermitTunnel",sshd_PermitTunnel) }} -{{ sshd_boolean("PermitUserEnvironment",sshd_PermitUserEnvironment) }} -{{ sshd_boolean("PrintLastLog",sshd_PrintLastLog) }} -{{ sshd_boolean("PrintMotd",sshd_PrintMotd) }} -{{ sshd_boolean("PubkeyAuthentication",sshd_PubkeyAuthentication) }} -{{ sshd_boolean("RSAAuthentication",sshd_RSAAuthentication) }} -{{ sshd_boolean("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) }} -{{ sshd_boolean("StrictModes",sshd_StrictModes) }} -{{ sshd_boolean("TCPKeepAlive",sshd_TCPKeepAlive) }} -{{ sshd_boolean("TcpRcvBufPoll",sshd_TcpRcvBufPoll) }} -{{ sshd_boolean("UseDNS",sshd_UseDNS) }} -{{ sshd_boolean("UseLogin",sshd_UseLogin) }} -{{ sshd_boolean("UsePAM",sshd_UsePAM) }} -{{ sshd_boolean("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) }} -{{ sshd_boolean("X11Forwarding",sshd_X11Forwarding) }} -{{ sshd_boolean("X11UseLocalhost",sshd_X11UseLocalhost) }} +{% endmacro %} +{{ render_option("AcceptEnv",sshd_AcceptEnv) -}} +{{ render_option("AddressFamily",sshd_AddressFamily) -}} +{{ render_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}} +{{ render_option("AllowGroups",sshd_AllowGroups) -}} +{{ render_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}} +{{ render_option("AllowUsers",sshd_AllowUsers) -}} +{{ render_option("AuthenticationMethods",sshd_AuthenticationMethods) -}} +{{ render_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}} +{{ render_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}} +{{ render_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}} +{{ render_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}} +{{ render_option("Banner",sshd_Banner) -}} +{{ render_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}} +{{ render_option("ChrootDirectory",sshd_ChrootDirectory) -}} +{{ render_option("Ciphers",sshd_Ciphers) -}} +{{ render_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}} +{{ render_option("ClientAliveInterval",sshd_ClientAliveInterval) -}} +{{ render_option("Compression",sshd_Compression) -}} +{{ render_option("DenyGroups",sshd_DenyGroups) -}} +{{ render_option("DenyUsers",sshd_DenyUsers) -}} +{{ render_option("ForceCommand",sshd_ForceCommand) -}} +{{ render_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}} +{{ render_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}} +{{ render_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}} +{{ render_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}} +{{ render_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}} +{{ render_option("GatewayPorts",sshd_GatewayPorts) -}} +{{ render_option("HPNBufferSize",sshd_HPNBufferSize) -}} +{{ render_option("HPNDisabled",sshd_HPNDisabled) -}} +{{ render_option("HostCertificate",sshd_HostCertificate) -}} +{{ render_option("HostKey",sshd_HostKey) -}} +{{ render_option("HostKeyAgent",sshd_HostKeyAgent) -}} +{{ render_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}} +{{ render_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}} +{{ render_option("IPQoS",sshd_IPQoS) -}} +{{ render_option("IgnoreRhosts",sshd_IgnoreRhosts) -}} +{{ render_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}} +{{ render_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}} +{{ render_option("KerberosAuthentication",sshd_KerberosAuthentication) -}} +{{ render_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}} +{{ render_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}} +{{ render_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}} +{{ render_option("KexAlgorithms",sshd_KexAlgorithms) -}} +{{ render_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}} +{{ render_option("ListenAddress",sshd_ListenAddress) -}} +{{ render_option("LogLevel",sshd_LogLevel) -}} +{{ render_option("LoginGraceTime",sshd_LoginGraceTime) -}} +{{ render_option("MACs",sshd_MACs) -}} +{{ render_option("MaxAuthTries",sshd_MaxAuthTries) -}} +{{ render_option("MaxSessions",sshd_MaxSessions) -}} +{{ render_option("MaxStartups",sshd_MaxStartups) -}} +{{ render_option("NoneEnabled",sshd_NoneEnabled) -}} +{{ render_option("PasswordAuthentication",sshd_PasswordAuthentication) -}} +{{ render_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}} +{{ render_option("PermitOpen",sshd_PermitOpen) -}} +{{ render_option("PermitRootLogin",sshd_PermitRootLogin) -}} +{{ render_option("PermitTTY",sshd_PermitTTY) -}} +{{ render_option("PermitTunnel",sshd_PermitTunnel) -}} +{{ render_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}} +{{ render_option("PidFile",sshd_PidFile) -}} +{{ render_option("Port",sshd_Port) -}} +{{ render_option("PrintLastLog",sshd_PrintLastLog) -}} +{{ render_option("PrintMotd",sshd_PrintMotd) -}} +{{ render_option("Protocol",sshd_Protocol) -}} +{{ render_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}} +{{ render_option("RSAAuthentication",sshd_RSAAuthentication) -}} +{{ render_option("RekeyLimit",sshd_RekeyLimit) -}} +{{ render_option("RevokedKeys",sshd_RevokedKeys) -}} +{{ render_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}} +{{ render_option("ServerKeyBits",sshd_ServerKeyBits) -}} +{{ render_option("StrictModes",sshd_StrictModes) -}} +{{ render_option("Subsystem",sshd_Subsystem) -}} +{{ render_option("SyslogFacility",sshd_SyslogFacility) -}} +{{ render_option("TCPKeepAlive",sshd_TCPKeepAlive) -}} +{{ render_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}} +{{ render_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}} +{{ render_option("UseDNS",sshd_UseDNS) -}} +{{ render_option("UseLogin",sshd_UseLogin) -}} +{{ render_option("UsePAM",sshd_UsePAM) -}} +{{ render_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}} +{{ render_option("VersionAddendum",sshd_VersionAddendum) -}} +{{ render_option("X11DisplayOffset",sshd_X11DisplayOffset) -}} +{{ render_option("X11Forwarding",sshd_X11Forwarding) -}} +{{ render_option("X11UseLocalhost",sshd_X11UseLocalhost) -}} +{{ render_option("XAuthLocation",sshd_XAuthLocation) -}} diff --git a/vars/Debian.yml b/vars/Debian.yml index 0cbb151..dfa6a10 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -5,4 +5,10 @@ sshd_packages: - openssh-blacklist - openssh-blacklist-extra - openssh-sftp-server -sshd_sftp_server: /usr/lib/openssh/sftp-server +sshd_defaults: + ChallengeResponseAuthentication: no + X11Forwarding: yes + PrintMotd: no + AcceptEnv: LANG LC_* + Subsystem: sftp {{ sshd_sftp_server }} + UsePAM: yes diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index f82eb04..720d6b6 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -1,5 +1,5 @@ --- -sshd_service: sshd sshd_packages: [] sshd_group: wheel sshd_sftp_server: /usr/libexec/sftp-server +sshd_defaults: {}