Deconsolidate network setup for proxmox and debian roles
They are just different enough to be annoying.
This commit is contained in:
parent
c3d1a6c4b1
commit
211d4bdb9a
10 changed files with 104 additions and 19 deletions
16
files/sshd@mgmt.service
Normal file
16
files/sshd@mgmt.service
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
[Unit]
|
||||
Description=OpenBSD Secure Shell server (management VRF)
|
||||
After=network.target auditd.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/usr/sbin/sshd -t
|
||||
ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt
|
||||
ExecReload=/usr/sbin/sshd -t
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=255
|
||||
Type=notify
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
14
files/sshd_config.mgmt
Normal file
14
files/sshd_config.mgmt
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# This is for sshd in management VRF, for ansible and other not-really-OOB stuff.
|
||||
PidFile none
|
||||
UsePAM no
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Only allow pubkey auth.
|
||||
KbdInteractiveAuthentication no
|
||||
PasswordAuthentication no
|
||||
PermitRootLogin prohibit-password
|
||||
|
||||
# Disable what we can.
|
||||
AllowTcpForwarding no
|
||||
GatewayPorts no
|
||||
X11Forwarding no
|
||||
Loading…
Add table
Add a link
Reference in a new issue