roles/sshd: Merge config from current openssh

This boils down to changing the comments and commenting things that are default anyway, to reduce the distance to the packaged config.

roles/sshd: Merge config from current openssh
8ed5c246 · Jan Alexander Steffens (heftig) · 6dc0c6bc · 8ed5c246
Verified Commit 8ed5c246 authored 8 years ago by Jan Alexander Steffens (heftig)
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
-#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -10,44 +10,32 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.

-Port 22
+#Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::

-# The default requires explicit activation of protocol 1
-Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key

-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none

 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 LogLevel VERBOSE

 # Authentication:

 #LoginGraceTime 2m
-PermitRootLogin prohibit-password
+#PermitRootLogin prohibit-password
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

-RSAAuthentication yes
-PubkeyAuthentication yes
+#PubkeyAuthentication yes

 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
@@ -59,18 +47,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody

 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
-PermitEmptyPasswords no
+#PermitEmptyPasswords no

 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
@@ -107,12 +93,12 @@ PrintMotd no # pam does that
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation sandbox		# Default for new installations.
+#UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
-#UseDNS yes
+#UseDNS no
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no