Very early initial commit.

[distorted-ansible] / roles / common / files / ssh-config / sshd_config.m4

m4_divert(-1) ### -*-m4-*-
### SSH server configuration skeleton.
###
### This file is maintained on ibanez: edit it there and run `update-slaves'.

### Diversion map.
###
###    10       general networking
###    20       host keys and certificates
###    30       local system configuration
###    40       authentication
###    50       permitted user environment
###    60       subsystems
###    90       match blocks

###--------------------------------------------------------------------------
### Do-not-edit banners.

m4_divert(0)m4_dnl
### -*-conf-*-  GENERATED FROM sshd_config.m4: DO NOT EDIT!
###
### SSH server configuration.

m4_divert(100)m4_dnl
### GENERATED FROM sshd_config.m4: NO NOT EDIT!
m4_divert(-1)

###--------------------------------------------------------------------------
### M4 machinery.

m4_changequote([, ])
m4_define([nl], [
])

## FOREACH(what, list)
##
## The LIST is a comma-separated list of things, like an m4 argument list.
## For each item in the list, expand WHAT as if it's the body of a macro with
## the list item as its arguments.  In other words, the list item itself can
## be a list of comma-separated items, which are available as $1, $2, ...,
## within WHAT.
m4_define([_FOREACH], [m4_dnl
m4_ifelse([$#], [1], [_foreach_func($1)],
        [_foreach_func($1)[]_FOREACH(m4_shift($@))])])
m4_define([FOREACH], [m4_dnl
m4_pushdef([_foreach_func], [$1])m4_dnl
_FOREACH($2)[]m4_dnl
m4_popdef([_foreach_func])])

## KEYTYPE(type)
##
## Declare a key type TYPE.  This sets a server key and selects a
## certificate.
m4_define([KEYTYPE], [m4_dnl
HostKey /etc/ssh/ssh_host_$1_key
HostCertificate /etc/ssh/ssh_host_$1_key-cert.pub])

###--------------------------------------------------------------------------
### Meta-configuration.

## Ports to listen on.
m4_define([PORTS], [22])

###--------------------------------------------------------------------------
### Include any local overides.

m4_sinclude([/etc/ssh/sshd_config.local.m4])m4_divert(-1)

m4_divert(10)m4_dnl
###--------------------------------------------------------------------------
### General network matters.

## Listening port.  Don't set an address here: sshd listens on INADDR_ANY by
## default, and this is good; it also lets a host-specific file override it
## for special effects (e.g., if covering for another server).
FOREACH([Port $1
], [PORTS])m4_dnl

## Protocol version.
Protocol 2

## Don't use TCP keepalives: they break connections for no especially good
## reason.  Users can use protocol-level keepalives to keep NAT in line;
## attackers can use other protocols to chew up TCP connections.
TCPKeepAlive no

## On the other hand, suppose that a client opens a number of SSH sessions
## and then crashes.  If there's no output from the server side, the server
## will never notice that these connections are dead, so they'll consume
## process slots and (worse) ptys forever.  We could fix this by turning
## TCP-level keepalives on, but they fire too rapidly in the case where the
## client is suspended or off-net for a while.  Instead, get the server to
## send application-level keepalives after 36 hours.  The count max isn't
## relevant because the TCP session will break before a second keepalive
## is sent, if the client really is unresponsive.
ClientAliveInterval 129600

## Be relatively generous about authenticating connections.  Allow 10
## concurrent connections, and start randomly rejecting connections until we
## top out at 60.
MaxStartups 10:1:60

## Allow heavy multiplexing.  It's the users' fault if they overload the
## connection.
MaxSessions 64

m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Host keys and certificates.

## We strongly prefer RSA keys.  OpenSSH hasn't yet caught up with FIPS186--3
## and larger DSA keys, but allow it anyway for the sake of compatibility.
## Later versions allow elliptic curves which is an improvement but not one
## we can rely on yet.
KEYTYPE(rsa)
KEYTYPE(dsa)

m4_divert(30)m4_dnl
###--------------------------------------------------------------------------
### Other local system configuration.

## Privilege separation doesn't seem to have any obvious downsides.
UsePrivilegeSeparation yes

## Logging.
SyslogFacility AUTH
LogLevel INFO

## Don't be picky about file modes.
StrictModes no

m4_divert(40)m4_dnl
###--------------------------------------------------------------------------
### Authentication.

## Permitted kinds of authentication.  Cryptographic authentication has
## always been good; passwords are awful but unfortunately necessary.  Don't
## try to do the bizarre cryptographically-reinforced host-based
## authentication: it's just more painful than necessary.  Permit Kerberos
## authentication via GSS, including key exchange.  If hosts need to be
## revoked then that can be done centrally at the KDC: if anything, it's
## even easier than the signature-based scheme.
RSAAuthentication yes
PubkeyAuthentication yes
##GSSAPIAuthentication yes
##GSSAPIKeyExchange yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

## Password configuration.  Turn off PAM challenge/response authentication
## (somewhat sadly) because it can override some of our other policy
## settings.  Don't actually allow passwords here: we'll allow them from
## trusted hosts later.
PasswordAuthentication no
LoginGraceTime 120
PermitEmptyPasswords no
ChallengeResponseAuthentication no
m4_ifelse(m4_esyscmd([uname]), [OpenBSD]nl, [m4_dnl], [UsePAM yes])

## Don't allow root in here.  We can override this setting in a per-host
## match later.
PermitRootLogin no

## Authentication attempts.  Users get little control over this if they have
## a lot of private keys lying around, so be generous.
MaxAuthTries 16

m4_divert(50)m4_dnl
###--------------------------------------------------------------------------
### Permitted user environment.

## Allow users to set environment variables in their local configuration
## files.  They're already on this side of the airtight hatchway.
PermitUserEnvironment yes

## X and agent forwarding are allowed (but users should be careful not to
## forward me things I shouldn't be allowed to mess with).
AllowAgentForwarding yes
X11Forwarding yes
X11DisplayOffset 10

## Port forwarding is OK.
AllowTcpForwarding yes
GatewayPorts clientspecified

## Don't print a message-of-the-day (PAM has probably already done it).
PrintMotd no

## Do print last-login information.
PrintLastLog yes

## Environment variables.  Accept locale-related things and time-zone
## selection.
AcceptEnv LANG LC_* TZ

m4_divert(60)m4_dnl
###--------------------------------------------------------------------------
### SSH subsystem configuration.

## SFTP.
Subsystem sftp /usr/lib/openssh/sftp-server
m4_define([_KERMIT_SSHSUB], m4_esyscmd([
sub=none
for i in /usr/local/bin /usr/bin; do
  if test -x $i/kermit-sshsub; then sub=$i/kermit-sshsub; break; fi
done
printf "%s" $sub]))m4_dnl
m4_ifelse(_KERMIT_SSHSUB, [none], [], [m4_dnl
Subsystem kermit _KERMIT_SSHSUB
])m4_dnl

m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
### Specific match blocks.

m4_divert(95)m4_dnl
## Allow root logins from within the trusted network.  This is needed to let
## ibanez do its administration thang.
Match Address 62.49.204.144/28,212.13.198.64/28,172.29.199.0/24,m4_dnl
2001:470:1f09:1b98::/64,2001:470:9740::/49,m4_dnl
2001:ba8:0:1d9::/64,2001:ba8:1d9::/49
        PermitRootLogin without-password
        PasswordAuthentication yes

m4_divert(99)m4_dnl
###------ That's all, folks --------------------------------------------------