# {{ ansible_managed }} {% if sshd_Port_list is defined %} {% for port in sshd_Port_list %} Port {{ port }} {% endfor %} {% endif %} {% if sshd_ListenAddress_list is defined %} {% for address in sshd_ListenAddress_list %} ListenAddress {{ address }} {% endfor %} {% endif %} {% for keyfile in sshd_HostKey_file_list %} HostKey {{ keyfile }} {% endfor %} ChallengeResponseAuthentication no UsePAM yes PrintMotd no AcceptEnv LANG LC_* {% if sshd_sssd_ldap and ((ansible_distribution == "Ubuntu" and ansible_distribution_version is version('20.04', '>=')) or (ansible_distribution == "Debian" and ansible_distribution_version is version('11', '>='))) %} AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody {% endif %} {% if sshd_AllowGroups_list is defined %} AllowGroups {{ sshd_AllowGroups_list | join(' ') }} {% elif ansible_virtualization_role == "host" or ansible_virtualization_role == "NA" %} AllowGroups {{ sshd_default_AllowGroups_list_physical | join(' ') }} {% elif ansible_virtualization_type == "lxc" %} AllowGroups {{ sshd_default_AllowGroups_list_container | join(' ') }} {% else %} AllowGroups {{ sshd_default_AllowGroups_list_virtual_machine | join(' ') }} {% endif %} # BEGIN extended security settings Ciphers {{ sshd_Ciphers | join(',') }} MACs {{ sshd_MACs | join(',') }} KexAlgorithms {{ sshd_KexAlgorithms | join(',') }} TCPKeepAlive no ClientAliveCountMax 4 ClientAliveInterval 30 {% if sshd_RevokedKeys_list is defined %} RevokedKeys /etc/ssh/revoked_keys {% endif %} # END extended security settings {% if sshd_sftp_enabled %} # enable sftp configuration using internal-sftp subsystem for group policies Subsystem sftp internal-sftp {% for item in sshd_sftp_group_access %} # sftp configuration for group {{ item.name }} Match Group {{ item.name }} ForceCommand internal-sftp ChrootDirectory {{ item.ChrootDirectory }} AllowTcpForwarding no AllowAgentForwarding no PermitRootLogin no X11Forwarding no {% endfor %} {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %}