exim-config: Advance to new upstream version.
[distorted-ansible] / roles / common / files / ssh-config / sshd_config.m4
CommitLineData
3f6c5992
MW
1m4_divert(-1) ### -*-m4-*-
2### SSH server configuration skeleton.
3###
4### This file is maintained on ibanez: edit it there and run `update-slaves'.
5
6### Diversion map.
7###
8### 10 general networking
9### 20 host keys and certificates
10### 30 local system configuration
11### 40 authentication
12### 50 permitted user environment
13### 60 subsystems
14### 90 match blocks
15
16###--------------------------------------------------------------------------
17### Do-not-edit banners.
18
19m4_divert(0)m4_dnl
20### -*-conf-*- GENERATED FROM sshd_config.m4: DO NOT EDIT!
21###
22### SSH server configuration.
23
24m4_divert(100)m4_dnl
25### GENERATED FROM sshd_config.m4: NO NOT EDIT!
26m4_divert(-1)
27
28###--------------------------------------------------------------------------
29### M4 machinery.
30
31m4_changequote([, ])
32m4_define([nl], [
33])
34
35## FOREACH(what, list)
36##
37## The LIST is a comma-separated list of things, like an m4 argument list.
38## For each item in the list, expand WHAT as if it's the body of a macro with
39## the list item as its arguments. In other words, the list item itself can
40## be a list of comma-separated items, which are available as $1, $2, ...,
41## within WHAT.
42m4_define([_FOREACH], [m4_dnl
43m4_ifelse([$#], [1], [_foreach_func($1)],
44 [_foreach_func($1)[]_FOREACH(m4_shift($@))])])
45m4_define([FOREACH], [m4_dnl
46m4_pushdef([_foreach_func], [$1])m4_dnl
47_FOREACH($2)[]m4_dnl
48m4_popdef([_foreach_func])])
49
50## KEYTYPE(type)
51##
52## Declare a key type TYPE. This sets a server key and selects a
53## certificate.
54m4_define([KEYTYPE], [m4_dnl
55HostKey /etc/ssh/ssh_host_$1_key
56HostCertificate /etc/ssh/ssh_host_$1_key-cert.pub])
57
58###--------------------------------------------------------------------------
59### Meta-configuration.
60
61## Ports to listen on.
62m4_define([PORTS], [22])
63
64###--------------------------------------------------------------------------
65### Include any local overides.
66
67m4_sinclude([/etc/ssh/sshd_config.local.m4])m4_divert(-1)
68
69m4_divert(10)m4_dnl
70###--------------------------------------------------------------------------
71### General network matters.
72
73## Listening port. Don't set an address here: sshd listens on INADDR_ANY by
74## default, and this is good; it also lets a host-specific file override it
75## for special effects (e.g., if covering for another server).
76FOREACH([Port $1
77], [PORTS])m4_dnl
78
79## Protocol version.
80Protocol 2
81
82## Don't use TCP keepalives: they break connections for no especially good
83## reason. Users can use protocol-level keepalives to keep NAT in line;
84## attackers can use other protocols to chew up TCP connections.
85TCPKeepAlive no
86
87## On the other hand, suppose that a client opens a number of SSH sessions
88## and then crashes. If there's no output from the server side, the server
89## will never notice that these connections are dead, so they'll consume
90## process slots and (worse) ptys forever. We could fix this by turning
91## TCP-level keepalives on, but they fire too rapidly in the case where the
92## client is suspended or off-net for a while. Instead, get the server to
93## send application-level keepalives after 36 hours. The count max isn't
94## relevant because the TCP session will break before a second keepalive
95## is sent, if the client really is unresponsive.
96ClientAliveInterval 129600
97
98## Be relatively generous about authenticating connections. Allow 10
99## concurrent connections, and start randomly rejecting connections until we
100## top out at 60.
101MaxStartups 10:1:60
102
103## Allow heavy multiplexing. It's the users' fault if they overload the
104## connection.
105MaxSessions 64
106
107m4_divert(20)m4_dnl
108###--------------------------------------------------------------------------
109### Host keys and certificates.
110
111## We strongly prefer RSA keys. OpenSSH hasn't yet caught up with FIPS186--3
112## and larger DSA keys, but allow it anyway for the sake of compatibility.
113## Later versions allow elliptic curves which is an improvement but not one
114## we can rely on yet.
115KEYTYPE(rsa)
116KEYTYPE(dsa)
117
118m4_divert(30)m4_dnl
119###--------------------------------------------------------------------------
120### Other local system configuration.
121
122## Privilege separation doesn't seem to have any obvious downsides.
123UsePrivilegeSeparation yes
124
125## Logging.
126SyslogFacility AUTH
127LogLevel INFO
128
129## Don't be picky about file modes.
130StrictModes no
131
132m4_divert(40)m4_dnl
133###--------------------------------------------------------------------------
134### Authentication.
135
136## Permitted kinds of authentication. Cryptographic authentication has
137## always been good; passwords are awful but unfortunately necessary. Don't
138## try to do the bizarre cryptographically-reinforced host-based
139## authentication: it's just more painful than necessary. Permit Kerberos
140## authentication via GSS, including key exchange. If hosts need to be
141## revoked then that can be done centrally at the KDC: if anything, it's
142## even easier than the signature-based scheme.
143RSAAuthentication yes
144PubkeyAuthentication yes
145##GSSAPIAuthentication yes
146##GSSAPIKeyExchange yes
147IgnoreRhosts yes
148RhostsRSAAuthentication no
149HostbasedAuthentication no
150
151## Password configuration. Turn off PAM challenge/response authentication
152## (somewhat sadly) because it can override some of our other policy
153## settings. Don't actually allow passwords here: we'll allow them from
154## trusted hosts later.
155PasswordAuthentication no
156LoginGraceTime 120
157PermitEmptyPasswords no
158ChallengeResponseAuthentication no
159m4_ifelse(m4_esyscmd([uname]), [OpenBSD]nl, [m4_dnl], [UsePAM yes])
160
161## Don't allow root in here. We can override this setting in a per-host
162## match later.
163PermitRootLogin no
164
165## Authentication attempts. Users get little control over this if they have
166## a lot of private keys lying around, so be generous.
167MaxAuthTries 16
168
169m4_divert(50)m4_dnl
170###--------------------------------------------------------------------------
171### Permitted user environment.
172
173## Allow users to set environment variables in their local configuration
174## files. They're already on this side of the airtight hatchway.
175PermitUserEnvironment yes
176
177## X and agent forwarding are allowed (but users should be careful not to
178## forward me things I shouldn't be allowed to mess with).
179AllowAgentForwarding yes
180X11Forwarding yes
181X11DisplayOffset 10
182
183## Port forwarding is OK.
184AllowTcpForwarding yes
185GatewayPorts clientspecified
186
187## Don't print a message-of-the-day (PAM has probably already done it).
188PrintMotd no
189
190## Do print last-login information.
191PrintLastLog yes
192
193## Environment variables. Accept locale-related things and time-zone
194## selection.
195AcceptEnv LANG LC_* TZ
196
197m4_divert(60)m4_dnl
198###--------------------------------------------------------------------------
199### SSH subsystem configuration.
200
201## SFTP.
202Subsystem sftp /usr/lib/openssh/sftp-server
203m4_define([_KERMIT_SSHSUB], m4_esyscmd([
204sub=none
205for i in /usr/local/bin /usr/bin; do
206 if test -x $i/kermit-sshsub; then sub=$i/kermit-sshsub; break; fi
207done
208printf "%s" $sub]))m4_dnl
209m4_ifelse(_KERMIT_SSHSUB, [none], [], [m4_dnl
210Subsystem kermit _KERMIT_SSHSUB
211])m4_dnl
212
213m4_divert(90)m4_dnl
214###--------------------------------------------------------------------------
215### Specific match blocks.
216
217m4_divert(95)m4_dnl
218## Allow root logins from within the trusted network. This is needed to let
219## ibanez do its administration thang.
220Match Address 62.49.204.144/28,212.13.198.64/28,172.29.199.0/24,m4_dnl
2212001:470:1f09:1b98::/64,2001:470:9740::/49,m4_dnl
2222001:ba8:0:1d9::/64,2001:ba8:1d9::/49
223 PermitRootLogin without-password
224 PasswordAuthentication yes
225
226m4_divert(99)m4_dnl
227###------ That's all, folks --------------------------------------------------