ansible-hardening/templates/sshd_config_block.j2

{% if security_sshd_disallow_empty_password | bool %}
# V-71939 / RHEL-07-010440
PermitEmptyPasswords no
{% endif %}
{% if security_sshd_disallow_environment_override | bool %}
# V-71957
PermitUserEnvironment no
{% endif %}
{% if security_sshd_disallow_host_based_auth | bool %}
# V-71959
HostbasedAuthentication no
{% endif %}
# V-72221
Ciphers {{ security_sshd_cipher_list }}
# V-72237
ClientAliveInterval {{ security_sshd_client_alive_interval }}
# V-72241
ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
{% if security_sshd_print_last_log | bool %}
# V-72245
PrintLastLog yes
{% endif %}
{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
{%   if security_sshd_permit_root_login | string in ['False', 'True'] %}
{%     set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
{%   else %}
{%     set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
{%   endif %}
# V-72247
PermitRootLogin {{ _security_sshd_permit_root_login }}
{% endif %}
{% if security_sshd_disallow_known_hosts_auth | bool %}
# V-72249 / V-72239
IgnoreUserKnownHosts yes
{% endif %}
{% if security_sshd_disallow_rhosts_auth | bool %}
# V-72243
IgnoreRhosts yes
{% endif %}
{% if security_sshd_enable_x11_forwarding | bool %}
# V-72303
X11Forwarding yes
{% endif %}
# V-72251
Protocol {{ security_sshd_protocol }}
# V-72253
MACs {{security_sshd_allowed_macs }}
{% if security_sshd_enable_privilege_separation | bool %}
# V-72265
UsePrivilegeSeparation sandbox
{% endif %}
# V-72267
Compression {{ security_sshd_compression }}
{% if security_sshd_disable_kerberos_auth | bool %}
# V-72261
KerberosAuthentication no
{% endif %}
{% if security_sshd_enable_strict_modes| bool %}
# V-72263
StrictModes yes
{% endif %}