From 10b34a964df924bc2656ae8c6d4f3616a1ee5107 Mon Sep 17 00:00:00 2001 From: Andrew Schoen Date: Wed, 1 Apr 2015 15:43:48 -0500 Subject: [PATCH] Customized the fedora 20 sshd_config This adds MaxSessions and {{ ansible_managed }}, but also removes all the commented out / disabled options. We're only doing this for readability. Signed-off-by: Andrew Schoen --- .../templates/ssh/sshd_config_fedora_20 | 130 +----------------- 1 file changed, 2 insertions(+), 128 deletions(-) diff --git a/roles/testnode/templates/ssh/sshd_config_fedora_20 b/roles/testnode/templates/ssh/sshd_config_fedora_20 index 3430821..c310deb 100755 --- a/roles/testnode/templates/ssh/sshd_config_fedora_20 +++ b/roles/testnode/templates/ssh/sshd_config_fedora_20 @@ -1,141 +1,23 @@ +# {{ ansible_managed }} # $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -# This sshd was compiled with PATH=/usr/local/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -# If you want to change the port on a SELinux system, you have to tell -# SELinux about this change. -# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER -# -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 -#RSAAuthentication yes -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no PasswordAuthentication no -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no -#KerberosUseKuserok yes - # GSSAPI options -#GSSAPIAuthentication no GSSAPIAuthentication yes -#GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -# WARNING: 'UsePAM no' is not supported in Fedora and may cause several -# problems. -#UsePAM no UsePAM yes -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -146,12 +28,4 @@ AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server -# Uncomment this if you want to use .local domain -#Host *.local -# CheckHostIP no - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server \ No newline at end of file +MaxSessions 1000 -- 2.39.5