mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 01:04:13 +00:00
fix spelling errors
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This commit is contained in:
parent
edcada16e4
commit
7259d6b5fd
17 changed files with 33 additions and 32 deletions
1
.github/workflows/codespell.yml
vendored
1
.github/workflows/codespell.yml
vendored
|
@ -19,3 +19,4 @@ jobs:
|
|||
uses: codespell-project/actions-codespell@v1
|
||||
with:
|
||||
check_filenames: true
|
||||
ignore_words_list: "chage"
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
|
||||
- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) [[patch](https://github.com/dev-sec/ansible-os-hardening/labels/patch)] ([schurzi](https://github.com/schurzi))
|
||||
- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) [[patch](https://github.com/dev-sec/ansible-os-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- move hidepid vars into defaults so they're overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) [[patch](https://github.com/dev-sec/ansible-os-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
|
||||
|
||||
|
@ -90,7 +90,7 @@
|
|||
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina))
|
||||
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([kravietz](https://github.com/kravietz))
|
||||
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Add initial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([jandd](https://github.com/jandd))
|
||||
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([ghost](https://github.com/ghost))
|
||||
- Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina))
|
||||
|
@ -165,7 +165,7 @@
|
|||
|
||||
**Fixed bugs:**
|
||||
|
||||
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)]
|
||||
- auditd causing v5.0 to fail on unprivileged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)]
|
||||
- Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)]
|
||||
- add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)] ([ccolic](https://github.com/ccolic))
|
||||
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)] ([szEvEz](https://github.com/szEvEz))
|
||||
|
@ -346,7 +346,7 @@
|
|||
- Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
|
||||
- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
|
||||
- replace ignore_errors to failed_when to suppress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
|
||||
- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
@ -459,7 +459,7 @@
|
|||
- Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change playbook-path to accommodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
|
||||
- Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
name: testuser
|
||||
password: "{{ test_pw | password_hash('sha512') }}"
|
||||
|
||||
- name: check successfull login with correct password
|
||||
- name: check successful login with correct password
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
|
@ -29,7 +29,7 @@
|
|||
LC_ALL: "{{ locale | default('C.UTF-8') }}"
|
||||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
|
||||
- name: check unsuccessfull login with incorrect password
|
||||
- name: check unsuccessful login with incorrect password
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
|
||||
environment:
|
||||
|
@ -38,7 +38,7 @@
|
|||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
with_sequence: count=6
|
||||
|
||||
- name: check unsuccessfull login, with correct password (lockout)
|
||||
- name: check unsuccessful login, with correct password (lockout)
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
|
||||
environment:
|
||||
|
@ -50,7 +50,7 @@
|
|||
pause:
|
||||
seconds: 20
|
||||
|
||||
- name: check successfull login
|
||||
- name: check successful login
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
|
|
|
@ -8,7 +8,7 @@ driver:
|
|||
provider:
|
||||
name: libvirt
|
||||
platforms:
|
||||
# we need to name every instance differntly to start multiple VMs on the same host (parallelization)
|
||||
# we need to name every instance differently to start multiple VMs on the same host (parallelization)
|
||||
# since we also need to use different OS users to run the tests because of how molecule operates,
|
||||
# the VM names must be predictable by OS user (to clean up canceled runs)
|
||||
- name: "${USER}"
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
name: testuser
|
||||
password: "{{ test_pw | password_hash('sha512') }}"
|
||||
|
||||
- name: check successfull login with correct password
|
||||
- name: check successful login with correct password
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
|
@ -29,7 +29,7 @@
|
|||
LC_ALL: "{{ locale | default('C.UTF-8') }}"
|
||||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
|
||||
- name: check unsuccessfull login with incorrect password
|
||||
- name: check unsuccessful login with incorrect password
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
|
||||
environment:
|
||||
|
@ -38,7 +38,7 @@
|
|||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
with_sequence: count=6
|
||||
|
||||
- name: check unsuccessfull login, with correct password (lockout)
|
||||
- name: check unsuccessful login, with correct password (lockout)
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
|
||||
environment:
|
||||
|
@ -50,7 +50,7 @@
|
|||
pause:
|
||||
seconds: 20
|
||||
|
||||
- name: check successfull login
|
||||
- name: check successful login
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
|
|
|
@ -4,7 +4,7 @@ driver:
|
|||
provider:
|
||||
name: libvirt
|
||||
platforms:
|
||||
# we need to name every instance differntly to start multiple VMs on the same host (parallelization)
|
||||
# we need to name every instance differently to start multiple VMs on the same host (parallelization)
|
||||
# since we also need to use different OS users to run the tests because of how molecule operates,
|
||||
# the VM names must be predictable by OS user (to clean up canceled runs)
|
||||
- name: "${USER}"
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
# we only override variables with our default if they have not been specified already.
|
||||
# by default the lookup functions finds all varnames containing the string, therefore
|
||||
# we add ^ and $ to denote start and end of string, so this returns only exact maches.
|
||||
# we add ^ and $ to denote start and end of string, so this returns only exact matches.
|
||||
- name: Set OS dependent variables, if not already defined by user # noqa var-naming
|
||||
ansible.builtin.set_fact:
|
||||
"{{ item.key }}": "{{ item.value }}"
|
||||
|
|
|
@ -54,7 +54,7 @@
|
|||
|
||||
- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
|
||||
- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- move hidepid vars into defaults so they're overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
|
||||
|
||||
|
@ -118,7 +118,7 @@
|
|||
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
|
||||
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Add initial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
|
||||
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
|
||||
- Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
|
||||
|
@ -193,7 +193,7 @@
|
|||
|
||||
**Fixed bugs:**
|
||||
|
||||
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
|
||||
- auditd causing v5.0 to fail on unprivileged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
|
||||
- Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
|
||||
- add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
|
||||
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
|
||||
|
@ -374,7 +374,7 @@
|
|||
- Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) ([fitz123](https://github.com/fitz123))
|
||||
- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
|
||||
- replace ignore_errors to failed_when to suppress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
|
||||
- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) ([fitz123](https://github.com/fitz123))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
@ -487,7 +487,7 @@
|
|||
- Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change playbook-path to accommodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
|
||||
- Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
|
|
@ -157,8 +157,8 @@ sysctl_config:
|
|||
# https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
|
||||
#
|
||||
# For applications launching crash handlers that need PTRACE, exceptions can
|
||||
# be registered by the debugee by declaring in the segfault handler
|
||||
# specifically which process will be using PTRACE on the debugee:
|
||||
# be registered by the debuggee by declaring in the segfault handler
|
||||
# specifically which process will be using PTRACE on the debuggee:
|
||||
# prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
|
||||
#
|
||||
# In general, PTRACE is not needed for the average running Ubuntu system.
|
||||
|
|
|
@ -136,7 +136,7 @@ SUB_GID_MIN {{ os_auth_sub_gid_min }}
|
|||
SUB_GID_MAX {{ os_auth_sub_gid_max }}
|
||||
SUB_GID_COUNT {{ os_auth_sub_gid_count }}
|
||||
|
||||
# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
|
||||
# Max number of login retries if password is bad. This will most likely be overridden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
|
||||
LOGIN_RETRIES {{ os_auth_retries }}
|
||||
|
||||
# Max time in seconds for login
|
||||
|
@ -155,7 +155,7 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
|||
# the user to be removed (passed as the first argument).
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
|
||||
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentication, banner, ...) before running the actual shell.
|
||||
#FAKE_SHELL /bin/fakeshell
|
||||
|
||||
# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
|
||||
|
|
|
@ -81,6 +81,6 @@ os_useradd_create_home: true
|
|||
modprobe_package: module-init-tools
|
||||
auditd_package: audit
|
||||
|
||||
# system accounts that do not get their login disabled and pasword changed
|
||||
# system accounts that do not get their login disabled and password changed
|
||||
os_always_ignore_users: [root, sync, shutdown, halt, ec2-user]
|
||||
hidepid_option: "2" # allowed values: 0, 1, 2
|
||||
|
|
|
@ -108,5 +108,5 @@ os_security_suid_sgid_system_whitelist:
|
|||
- /usr/lib/libvte9/gnome-pty-helper # gnome
|
||||
- /usr/lib/libvte-2.90-9/gnome-pty-helper # gnome
|
||||
|
||||
# system accounts that do not get their login disabled and pasword changed
|
||||
# system accounts that do not get their login disabled and password changed
|
||||
os_always_ignore_users: [root, sync, shutdown, halt]
|
||||
|
|
|
@ -195,7 +195,7 @@
|
|||
- SFTP: set default umask to 0027 [\#252](https://github.com/dev-sec/ansible-ssh-hardening/pull/252) ([Slamdunk](https://github.com/Slamdunk))
|
||||
- Separate PermitUserEnviroment from AcceptEnv [\#251](https://github.com/dev-sec/ansible-ssh-hardening/pull/251) ([szEvEz](https://github.com/szEvEz))
|
||||
- Feature: Debian 10 \(Buster\) support [\#249](https://github.com/dev-sec/ansible-ssh-hardening/pull/249) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- fix broken packages, extend README with furhter development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz))
|
||||
- fix broken packages, extend README with further development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz))
|
||||
- refactor authenticationmethod settings, allow user to set authenticat… [\#245](https://github.com/dev-sec/ansible-ssh-hardening/pull/245) ([szEvEz](https://github.com/szEvEz))
|
||||
- RHEL/OL/CentOS 8 support [\#242](https://github.com/dev-sec/ansible-ssh-hardening/pull/242) ([Furragen](https://github.com/Furragen))
|
||||
- Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec))
|
||||
|
|
|
@ -34,7 +34,7 @@ As this role requires root-privileges, we added `become: true` to all tasks. So
|
|||
- Description: Specifies the port number to connect on the remote host.
|
||||
- `ssh_listen_to`
|
||||
- Default: `['0.0.0.0']`
|
||||
- Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!
|
||||
- Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons!
|
||||
- `ssh_host_key_files`
|
||||
- Default: `[]`
|
||||
- Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version.
|
||||
|
|
|
@ -152,7 +152,7 @@ GSSAPICleanupCredentials yes
|
|||
{% endif %}
|
||||
{% if ssh_deny_users %}
|
||||
# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here.
|
||||
# For key-based authentication this is not necessary, since all keys must be explicitely enabled.
|
||||
# For key-based authentication this is not necessary, since all keys must be explicitly enabled.
|
||||
DenyUsers {{ ssh_deny_users }}
|
||||
|
||||
{% endif %}
|
||||
|
|
Loading…
Reference in a new issue