Files @ a932640479cf
Branch filter:

Location: majic-ansible-roles/roles/backup_server/files/backup-sshd_config-stretch

a932640479cf 2.0 KiB text/plain Show Annotation Show as Raw Download as Raw
branko
MAR-152: Fix idempotence issues with web_server role:

- Reload configuration of PHP-FPM to ensure changes are picked-up.
- Install base packages for PHP applications prior to creating the
directory containing unix socket files (so the package installation
would not change them back).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Listen on separate port for backup purposes.
Port 2222

# Use the SSH protocol version 2 (which is safer).
Protocol 2

# Define dedicated host keys for backup SSH server.
HostKey /etc/ssh-backup/ssh_host_rsa_key
HostKey /etc/ssh-backup/ssh_host_ecdsa_key
HostKey /etc/ssh-backup/ssh_host_ed25519_key

# Use privilege separation for increased security.
UsePrivilegeSeparation yes

# Configure logging.
SyslogFacility AUTH
LogLevel INFO

# Users logging-in have 10 seconds to login upon established connection.
LoginGraceTime 10

# Don't allow root accounts logins.
PermitRootLogin no

# Enforce strict checking of home directory mode. However, this is not used for
# the chroots (chroots must check mode).
StrictModes yes

# Allow public key authentication.
PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files for eventual
# RhostsRSAAuthentication or HostbasedAuthentication.
IgnoreRhosts yes

# Disable host-based authentication.
HostbasedAuthentication no

# Do not allow logins with empty passwords.
PermitEmptyPasswords no

# Don't allow challenge-response authentication.
ChallengeResponseAuthentication no

# Disable password-based authentication.
PasswordAuthentication no

# Disable X11 forwarding.
X11Forwarding no

# Do not print motd to avoid eventual issues for clients.
PrintMotd no

# Do not print the date and time of the last user login.
PrintLastLog no

# Use TPC keepalives for detecting dead connections.
TCPKeepAlive yes

# Use the internal SFTP so we can also easily utilise chroot.
Subsystem sftp internal-sftp

# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be
# used just for session stuff.
UsePAM yes

# Specify a dedicated PID file for the backup SSH.
PidFile /var/run/sshd-backup.pid

# Users logging-in are forced to use the SFTP server.
ForceCommand internal-sftp

# Chroot logged-in users to their home directories.
ChrootDirectory %h

# Do not allow any TCP forwarding.
AllowTCPForwarding no

# Only allow the members of this group to log-in into this instance of OpenSSH
# server.
AllowGroups backup
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.