6ab28b3639
Add charmhelpers.contrib.hardening and calls to install, config-changed, upgrade-charm and update-status hooks. Also add new config option to allow one or more hardening modules to be applied at runtime. Change-Id: If0d1e10b58ed506e0aca659f30120b8d5c96c04f
71 lines
2.0 KiB
Plaintext
71 lines
2.0 KiB
Plaintext
###############################################################################
|
|
# WARNING: This configuration file is maintained by Juju. Local changes may
|
|
# be overwritten.
|
|
###############################################################################
|
|
# This is the ssh client system-wide configuration file. See
|
|
# ssh_config(5) for more information. This file provides defaults for
|
|
# users, and the values can be changed in per-user configuration files
|
|
# or on the command line.
|
|
|
|
# Configuration data is parsed as follows:
|
|
# 1. command line options
|
|
# 2. user-specific file
|
|
# 3. system-wide file
|
|
# Any configuration value is only changed the first time it is set.
|
|
# Thus, host-specific definitions should be at the beginning of the
|
|
# configuration file, and defaults at the end.
|
|
|
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
# Restrict the following configuration to be limited to this Host.
|
|
{% if remote_hosts -%}
|
|
Host {{ ' '.join(remote_hosts) }}
|
|
{% endif %}
|
|
ForwardAgent no
|
|
ForwardX11 no
|
|
ForwardX11Trusted yes
|
|
RhostsRSAAuthentication no
|
|
RSAAuthentication yes
|
|
PasswordAuthentication {{ password_auth_allowed }}
|
|
HostbasedAuthentication no
|
|
GSSAPIAuthentication no
|
|
GSSAPIDelegateCredentials no
|
|
GSSAPIKeyExchange no
|
|
GSSAPITrustDNS no
|
|
BatchMode no
|
|
CheckHostIP yes
|
|
AddressFamily {{ addr_family }}
|
|
ConnectTimeout 0
|
|
StrictHostKeyChecking ask
|
|
IdentityFile ~/.ssh/identity
|
|
IdentityFile ~/.ssh/id_rsa
|
|
IdentityFile ~/.ssh/id_dsa
|
|
# The port at the destination should be defined
|
|
{% for port in ports -%}
|
|
Port {{ port }}
|
|
{% endfor %}
|
|
Protocol 2
|
|
Cipher 3des
|
|
{% if ciphers -%}
|
|
Ciphers {{ ciphers }}
|
|
{%- endif %}
|
|
{% if macs -%}
|
|
MACs {{ macs }}
|
|
{%- endif %}
|
|
{% if kexs -%}
|
|
KexAlgorithms {{ kexs }}
|
|
{%- endif %}
|
|
EscapeChar ~
|
|
Tunnel no
|
|
TunnelDevice any:any
|
|
PermitLocalCommand no
|
|
VisualHostKey no
|
|
RekeyLimit 1G 1h
|
|
SendEnv LANG LC_*
|
|
HashKnownHosts yes
|
|
{% if roaming -%}
|
|
UseRoaming {{ roaming }}
|
|
{% endif %}
|