[distorted-ansible] / roles / common / files / ssh-config / sshd_config.m4

m4_divert(-1) ### -*-m4-*-
### SSH server configuration skeleton.
###
### This file is maintained on ibanez: edit it there and run `update-slaves'.

### Diversion map.
###
###    10	general networking
###    20	host keys and certificates
###    30	local system configuration
###    40	authentication
###    50	permitted user environment
###    60	subsystems
###    90	match blocks

###--------------------------------------------------------------------------
### Do-not-edit banners.

m4_divert(0)m4_dnl
### -*-conf-*-  GENERATED FROM sshd_config.m4: DO NOT EDIT!
###
### SSH server configuration.

m4_divert(100)m4_dnl
### GENERATED FROM sshd_config.m4: NO NOT EDIT!
m4_divert(-1)

###--------------------------------------------------------------------------
### M4 machinery.

m4_changequote([, ])
m4_define([nl], [
])

## FOREACH(what, list)
##
## The LIST is a comma-separated list of things, like an m4 argument list.
## For each item in the list, expand WHAT as if it's the body of a macro with
## the list item as its arguments.  In other words, the list item itself can
## be a list of comma-separated items, which are available as $1, $2, ...,
## within WHAT.
m4_define([_FOREACH], [m4_dnl
m4_ifelse([$#], [1], [_foreach_func($1)],
	[_foreach_func($1)[]_FOREACH(m4_shift($@))])])
m4_define([FOREACH], [m4_dnl
m4_pushdef([_foreach_func], [$1])m4_dnl
_FOREACH($2)[]m4_dnl
m4_popdef([_foreach_func])])

## KEYTYPE(type)
##
## Declare a key type TYPE.  This sets a server key and selects a
## certificate.
m4_define([KEYTYPE], [m4_dnl
HostKey /etc/ssh/ssh_host_$1_key
HostCertificate /etc/ssh/ssh_host_$1_key-cert.pub])

###--------------------------------------------------------------------------
### Meta-configuration.

## Ports to listen on.
m4_define([PORTS], [22])

###--------------------------------------------------------------------------
### Include any local overides.

m4_sinclude([/etc/ssh/sshd_config.local.m4])m4_divert(-1)

m4_divert(10)m4_dnl
###--------------------------------------------------------------------------
### General network matters.

## Listening port.  Don't set an address here: sshd listens on INADDR_ANY by
## default, and this is good; it also lets a host-specific file override it
## for special effects (e.g., if covering for another server).
FOREACH([Port $1
], [PORTS])m4_dnl

## Protocol version.
Protocol 2

## Don't use TCP keepalives: they break connections for no especially good
## reason.  Users can use protocol-level keepalives to keep NAT in line;
## attackers can use other protocols to chew up TCP connections.
TCPKeepAlive no

## On the other hand, suppose that a client opens a number of SSH sessions
## and then crashes.  If there's no output from the server side, the server
## will never notice that these connections are dead, so they'll consume
## process slots and (worse) ptys forever.  We could fix this by turning
## TCP-level keepalives on, but they fire too rapidly in the case where the
## client is suspended or off-net for a while.  Instead, get the server to
## send application-level keepalives after 36 hours.  The count max isn't
## relevant because the TCP session will break before a second keepalive
## is sent, if the client really is unresponsive.
ClientAliveInterval 129600

## Be relatively generous about authenticating connections.  Allow 10
## concurrent connections, and start randomly rejecting connections until we
## top out at 60.
MaxStartups 10:1:60

## Allow heavy multiplexing.  It's the users' fault if they overload the
## connection.
MaxSessions 64

m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Host keys and certificates.

## We strongly prefer RSA keys.  OpenSSH hasn't yet caught up with FIPS186--3
## and larger DSA keys, but allow it anyway for the sake of compatibility.
## Later versions allow elliptic curves which is an improvement but not one
## we can rely on yet.
KEYTYPE(rsa)
KEYTYPE(dsa)

m4_divert(30)m4_dnl
###--------------------------------------------------------------------------
### Other local system configuration.

## Privilege separation doesn't seem to have any obvious downsides.
UsePrivilegeSeparation yes

## Logging.
SyslogFacility AUTH
LogLevel INFO

## Don't be picky about file modes.
StrictModes no

m4_divert(40)m4_dnl
###--------------------------------------------------------------------------
### Authentication.

## Permitted kinds of authentication.  Cryptographic authentication has
## always been good; passwords are awful but unfortunately necessary.  Don't
## try to do the bizarre cryptographically-reinforced host-based
## authentication: it's just more painful than necessary.  Permit Kerberos
## authentication via GSS, including key exchange.  If hosts need to be
## revoked then that can be done centrally at the KDC: if anything, it's
## even easier than the signature-based scheme.
RSAAuthentication yes
PubkeyAuthentication yes
##GSSAPIAuthentication yes
##GSSAPIKeyExchange yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

## Password configuration.  Turn off PAM challenge/response authentication
## (somewhat sadly) because it can override some of our other policy
## settings.  Don't actually allow passwords here: we'll allow them from
## trusted hosts later.
PasswordAuthentication no
LoginGraceTime 120
PermitEmptyPasswords no
ChallengeResponseAuthentication no
m4_ifelse(m4_esyscmd([uname]), [OpenBSD]nl, [m4_dnl], [UsePAM yes])

## Don't allow root in here.  We can override this setting in a per-host
## match later.
PermitRootLogin no

## Authentication attempts.  Users get little control over this if they have
## a lot of private keys lying around, so be generous.
MaxAuthTries 16

m4_divert(50)m4_dnl
###--------------------------------------------------------------------------
### Permitted user environment.

## Allow users to set environment variables in their local configuration
## files.  They're already on this side of the airtight hatchway.
PermitUserEnvironment yes

## X and agent forwarding are allowed (but users should be careful not to
## forward me things I shouldn't be allowed to mess with).
AllowAgentForwarding yes
X11Forwarding yes
X11DisplayOffset 10

## Port forwarding is OK.
AllowTcpForwarding yes
GatewayPorts clientspecified

## Don't print a message-of-the-day (PAM has probably already done it).
PrintMotd no

## Do print last-login information.
PrintLastLog yes

## Environment variables.  Accept locale-related things and time-zone
## selection.
AcceptEnv LANG LC_* TZ

m4_divert(60)m4_dnl
###--------------------------------------------------------------------------
### SSH subsystem configuration.

## SFTP.
Subsystem sftp /usr/lib/openssh/sftp-server
m4_define([_KERMIT_SSHSUB], m4_esyscmd([
sub=none
for i in /usr/local/bin /usr/bin; do
  if test -x $i/kermit-sshsub; then sub=$i/kermit-sshsub; break; fi
done
printf "%s" $sub]))m4_dnl
m4_ifelse(_KERMIT_SSHSUB, [none], [], [m4_dnl
Subsystem kermit _KERMIT_SSHSUB
])m4_dnl

m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
### Specific match blocks.

m4_divert(95)m4_dnl
## Allow root logins from within the trusted network.  This is needed to let
## ibanez do its administration thang.
Match Address 62.49.204.144/28,212.13.198.64/28,172.29.199.0/24,m4_dnl
2001:470:1f09:1b98::/64,2001:470:9740::/49,m4_dnl
2001:ba8:0:1d9::/64,2001:ba8:1d9::/49
	PermitRootLogin without-password
	PasswordAuthentication yes

m4_divert(99)m4_dnl
###------ That's all, folks --------------------------------------------------
Commit	Line	Data
3f6c5992 MW	1	m4_divert(-1) ### --m4--
	2	### SSH server configuration skeleton.
	3	###
	4	### This file is maintained on ibanez: edit it there and run `update-slaves'.
	5
	6	### Diversion map.
	7	###
	8	### 10 general networking
	9	### 20 host keys and certificates
	10	### 30 local system configuration
	11	### 40 authentication
	12	### 50 permitted user environment
	13	### 60 subsystems
	14	### 90 match blocks
	15
	16	###--------------------------------------------------------------------------
	17	### Do-not-edit banners.
	18
	19	m4_divert(0)m4_dnl
	20	### --conf-- GENERATED FROM sshd_config.m4: DO NOT EDIT!
	21	###
	22	### SSH server configuration.
	23
	24	m4_divert(100)m4_dnl
	25	### GENERATED FROM sshd_config.m4: NO NOT EDIT!
	26	m4_divert(-1)
	27
	28	###--------------------------------------------------------------------------
	29	### M4 machinery.
	30
	31	m4_changequote([, ])
	32	m4_define([nl], [
	33	])
	34
	35	## FOREACH(what, list)
	36	##
	37	## The LIST is a comma-separated list of things, like an m4 argument list.
	38	## For each item in the list, expand WHAT as if it's the body of a macro with
	39	## the list item as its arguments. In other words, the list item itself can
	40	## be a list of comma-separated items, which are available as $1, $2, ...,
	41	## within WHAT.
	42	m4_define([_FOREACH], [m4_dnl
	43	m4_ifelse([$#], [1], [_foreach_func($1)],
	44	[_foreach_func($1)[]_FOREACH(m4_shift($@))])])
	45	m4_define([FOREACH], [m4_dnl
	46	m4_pushdef([_foreach_func], [$1])m4_dnl
	47	_FOREACH($2)[]m4_dnl
	48	m4_popdef([_foreach_func])])
	49
	50	## KEYTYPE(type)
	51	##
	52	## Declare a key type TYPE. This sets a server key and selects a
	53	## certificate.
	54	m4_define([KEYTYPE], [m4_dnl
	55	HostKey /etc/ssh/ssh_host_$1_key
	56	HostCertificate /etc/ssh/ssh_host_$1_key-cert.pub])
	57
	58	###--------------------------------------------------------------------------
	59	### Meta-configuration.
	60
	61	## Ports to listen on.
	62	m4_define([PORTS], [22])
	63
	64	###--------------------------------------------------------------------------
65	### Include any local overides.
66
67	m4_sinclude([/etc/ssh/sshd_config.local.m4])m4_divert(-1)
68
69	m4_divert(10)m4_dnl
70	###--------------------------------------------------------------------------
71	### General network matters.
72
73	## Listening port. Don't set an address here: sshd listens on INADDR_ANY by
74	## default, and this is good; it also lets a host-specific file override it
75	## for special effects (e.g., if covering for another server).
76	FOREACH([Port $1
77	], [PORTS])m4_dnl
78
79	## Protocol version.
80	Protocol 2
81
82	## Don't use TCP keepalives: they break connections for no especially good
83	## reason. Users can use protocol-level keepalives to keep NAT in line;
84	## attackers can use other protocols to chew up TCP connections.
85	TCPKeepAlive no
86
87	## On the other hand, suppose that a client opens a number of SSH sessions
88	## and then crashes. If there's no output from the server side, the server
89	## will never notice that these connections are dead, so they'll consume
90	## process slots and (worse) ptys forever. We could fix this by turning
91	## TCP-level keepalives on, but they fire too rapidly in the case where the
92	## client is suspended or off-net for a while. Instead, get the server to
93	## send application-level keepalives after 36 hours. The count max isn't
94	## relevant because the TCP session will break before a second keepalive
95	## is sent, if the client really is unresponsive.
96	ClientAliveInterval 129600
97
98	## Be relatively generous about authenticating connections. Allow 10
99	## concurrent connections, and start randomly rejecting connections until we
100	## top out at 60.
101	MaxStartups 10:1:60
102
103	## Allow heavy multiplexing. It's the users' fault if they overload the
104	## connection.
105	MaxSessions 64
106
107	m4_divert(20)m4_dnl
108	###--------------------------------------------------------------------------
109	### Host keys and certificates.
110
111	## We strongly prefer RSA keys. OpenSSH hasn't yet caught up with FIPS186--3
112	## and larger DSA keys, but allow it anyway for the sake of compatibility.
113	## Later versions allow elliptic curves which is an improvement but not one
114	## we can rely on yet.
115	KEYTYPE(rsa)
116	KEYTYPE(dsa)
117
118	m4_divert(30)m4_dnl
119	###--------------------------------------------------------------------------
120	### Other local system configuration.
121
122	## Privilege separation doesn't seem to have any obvious downsides.
123	UsePrivilegeSeparation yes
124
125	## Logging.
126	SyslogFacility AUTH
127	LogLevel INFO
128
129	## Don't be picky about file modes.
130	StrictModes no
131
132	m4_divert(40)m4_dnl
133	###--------------------------------------------------------------------------
134	### Authentication.
135
136	## Permitted kinds of authentication. Cryptographic authentication has
137	## always been good; passwords are awful but unfortunately necessary. Don't
138	## try to do the bizarre cryptographically-reinforced host-based
139	## authentication: it's just more painful than necessary. Permit Kerberos
140	## authentication via GSS, including key exchange. If hosts need to be
141	## revoked then that can be done centrally at the KDC: if anything, it's
142	## even easier than the signature-based scheme.
143	RSAAuthentication yes
144	PubkeyAuthentication yes
145	##GSSAPIAuthentication yes
146	##GSSAPIKeyExchange yes
147	IgnoreRhosts yes
148	RhostsRSAAuthentication no
149	HostbasedAuthentication no
150
151	## Password configuration. Turn off PAM challenge/response authentication
152	## (somewhat sadly) because it can override some of our other policy
153	## settings. Don't actually allow passwords here: we'll allow them from
154	## trusted hosts later.
155	PasswordAuthentication no
156	LoginGraceTime 120
157	PermitEmptyPasswords no
158	ChallengeResponseAuthentication no
159	m4_ifelse(m4_esyscmd([uname]), [OpenBSD]nl, [m4_dnl], [UsePAM yes])
160
161	## Don't allow root in here. We can override this setting in a per-host
162	## match later.
163	PermitRootLogin no
164
165	## Authentication attempts. Users get little control over this if they have
166	## a lot of private keys lying around, so be generous.
167	MaxAuthTries 16
168
169	m4_divert(50)m4_dnl
170	###--------------------------------------------------------------------------
171	### Permitted user environment.
172
173	## Allow users to set environment variables in their local configuration
174	## files. They're already on this side of the airtight hatchway.
175	PermitUserEnvironment yes
176
177	## X and agent forwarding are allowed (but users should be careful not to
178	## forward me things I shouldn't be allowed to mess with).
179	AllowAgentForwarding yes
180	X11Forwarding yes
181	X11DisplayOffset 10
182
183	## Port forwarding is OK.
184	AllowTcpForwarding yes
185	GatewayPorts clientspecified
186
187	## Don't print a message-of-the-day (PAM has probably already done it).
188	PrintMotd no
189
190	## Do print last-login information.
191	PrintLastLog yes
192
193	## Environment variables. Accept locale-related things and time-zone
194	## selection.
195	AcceptEnv LANG LC_* TZ
196
197	m4_divert(60)m4_dnl
198	###--------------------------------------------------------------------------
199	### SSH subsystem configuration.
200
201	## SFTP.
202	Subsystem sftp /usr/lib/openssh/sftp-server
203	m4_define([_KERMIT_SSHSUB], m4_esyscmd([
204	sub=none
205	for i in /usr/local/bin /usr/bin; do
206	if test -x $i/kermit-sshsub; then sub=$i/kermit-sshsub; break; fi
207	done
208	printf "%s" $sub]))m4_dnl
209	m4_ifelse(_KERMIT_SSHSUB, [none], [], [m4_dnl
210	Subsystem kermit _KERMIT_SSHSUB
211	])m4_dnl
212
213	m4_divert(90)m4_dnl
214	###--------------------------------------------------------------------------
215	### Specific match blocks.
216
217	m4_divert(95)m4_dnl
218	## Allow root logins from within the trusted network. This is needed to let
219	## ibanez do its administration thang.
220	Match Address 62.49.204.144/28,212.13.198.64/28,172.29.199.0/24,m4_dnl
221	2001:470:1f09:1b98::/64,2001:470:9740::/49,m4_dnl
222	2001:ba8:0:1d9::/64,2001:ba8:1d9::/49
223	PermitRootLogin without-password
224	PasswordAuthentication yes
225
226	m4_divert(99)m4_dnl
227	###------ That's all, folks --------------------------------------------------