iac/modules/sshd/files/sshd_config.tftpl

Protocol 2

%{if !use_socket_activation}
AddressFamily ${address_family}
%{for listen_address in listen_addresses}
ListenAddress ${listen_address}
%{endfor}
Port ${listen_port}
%{if listen_unix}
ListenAddress unix:/var/run/sshd/sock
%{endif}
%{endif}

StrictModes yes
UseDNS no
Subsystem sftp internal-sftp

%{if allow_users != ""}
AllowUsers ${allow_users}
%{endif}
%{if allow_groups != ""}
AllowGroups ${allow_groups}
%{endif}

AllowAgentForwarding %{if sftp_only}no%{else}yes%{endif}  # According to documentation: Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
AllowTcpForwarding %{if allow_tcp_forwarding}yes%{else}no%{endif}
GatewayPorts no
PermitTunnel no
X11Forwarding no

AuthenticationMethods publickey
PubkeyAuthentication yes
KbdInteractiveAuthentication no
# KerberosAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
PermitUserRC no

CASignatureAlgorithms ecdsa-sha2-nistp384
Ciphers ${ciphers_algos}
Macs ${macs_algos}
KexAlgorithms ${key_exchange_algos}
HostKeyAlgorithms ${host_key_algorithms}
PubkeyAcceptedAlgorithms ${pub_key_accepted_algorithms}
RekeyLimit ${rekey_limit.size} ${rekey_limit.time}
%{for host_key in host_keys~}
HostKey ${host_key}
%{endfor}
AuthorizedKeysCommand = /usr/libexec/ssh-key-dir %u
AuthorizedKeysCommandUser root

ClientAliveCountMax ${client_alive_count_max}
ClientAliveInterval ${client_alive_interval}
MaxAuthTries ${max_auth_tries}
MaxSessions ${max_sessions}
MaxStartups ${max_startups}

%{for chrooted_user in chrooted_users}
Match User ${chrooted_user.username}
%{if sftp_only}
ForceCommand internal-sftp
%{endif}
ChrootDirectory ${chrooted_user.chroot}
%{endfor}

%{if listen_unix}
Match LocalAddress /var/run/sshd/sock
PermitRootLogin yes
%{endif}

Match all
initial 2024-06-04 09:25:59 +00:00			`Protocol 2`

			`%{if !use_socket_activation}`
			`AddressFamily ${address_family}`
			`%{for listen_address in listen_addresses}`
			`ListenAddress ${listen_address}`
			`%{endfor}`
			`Port ${listen_port}`
			`%{if listen_unix}`
			`ListenAddress unix:/var/run/sshd/sock`
			`%{endif}`
			`%{endif}`

			`StrictModes yes`
			`UseDNS no`
			`Subsystem sftp internal-sftp`

			`%{if allow_users != ""}`
			`AllowUsers ${allow_users}`
			`%{endif}`
			`%{if allow_groups != ""}`
			`AllowGroups ${allow_groups}`
			`%{endif}`

			`AllowAgentForwarding %{if sftp_only}no%{else}yes%{endif} # According to documentation: Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.`
			`AllowTcpForwarding %{if allow_tcp_forwarding}yes%{else}no%{endif}`
			`GatewayPorts no`
			`PermitTunnel no`
			`X11Forwarding no`

			`AuthenticationMethods publickey`
			`PubkeyAuthentication yes`
			`KbdInteractiveAuthentication no`
			`# KerberosAuthentication no`
			`PasswordAuthentication no`
			`PermitEmptyPasswords no`
			`PermitRootLogin no`
			`PermitUserEnvironment no`
			`PermitUserRC no`

			`CASignatureAlgorithms ecdsa-sha2-nistp384`
			`Ciphers ${ciphers_algos}`
			`Macs ${macs_algos}`
			`KexAlgorithms ${key_exchange_algos}`
			`HostKeyAlgorithms ${host_key_algorithms}`
			`PubkeyAcceptedAlgorithms ${pub_key_accepted_algorithms}`
			`RekeyLimit ${rekey_limit.size} ${rekey_limit.time}`
			`%{for host_key in host_keys~}`
			`HostKey ${host_key}`
			`%{endfor}`
			`AuthorizedKeysCommand = /usr/libexec/ssh-key-dir %u`
			`AuthorizedKeysCommandUser root`

			`ClientAliveCountMax ${client_alive_count_max}`
			`ClientAliveInterval ${client_alive_interval}`
			`MaxAuthTries ${max_auth_tries}`
			`MaxSessions ${max_sessions}`
			`MaxStartups ${max_startups}`

			`%{for chrooted_user in chrooted_users}`
			`Match User ${chrooted_user.username}`
			`%{if sftp_only}`
			`ForceCommand internal-sftp`
			`%{endif}`
			`ChrootDirectory ${chrooted_user.chroot}`
			`%{endfor}`

			`%{if listen_unix}`
			`Match LocalAddress /var/run/sshd/sock`
			`PermitRootLogin yes`
			`%{endif}`

			`Match all`