It is an Ansible role to:
- Install OpenSSH Server
- Configure OpenSSH Server
Often times you want to disable root logins and password based logins. This
role sets those options by default but it also exposes most config values found
in the sshd_config
file.
- Ubuntu 16.04 LTS (Xenial)
- Debian 8 (Jessie)
- Debian 9 (Stretch)
# To view what these variables do, check out:
# http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config
sshd_port: "22"
sshd_listen_address: ["::", "0.0.0.0"]
sshd_allow_groups: []
sshd_protocol: "2"
sshd_host_keys: ["ed25519", "rsa", "ecdsa"]
sshd_kex_algorithms:
- "[email protected]"
- "ecdh-sha2-nistp521"
- "ecdh-sha2-nistp384"
- "ecdh-sha2-nistp256"
- "diffie-hellman-group-exchange-sha256"
sshd_ciphers:
- "[email protected]"
- "[email protected]"
- "[email protected]"
- "aes256-ctr"
- "aes192-ctr"
- "aes128-ctr"
sshd_macs:
- "[email protected]"
- "[email protected]"
- "[email protected]"
- "hmac-sha2-512"
- "hmac-sha2-256"
- "[email protected]"
sshd_use_privilege_separation: "yes"
sshd_key_regeneration_interval: "3600"
sshd_server_key_bits: "1024"
sshd_syslog_facility: "AUTH"
sshd_log_level: "INFO"
sshd_login_grace_time: "120"
sshd_permit_root_login: "no"
sshd_strict_modes: "yes"
sshd_rsa_authentication: "yes"
sshd_pubkey_authentication: "yes"
sshd_authorized_keys_file: "%h/.ssh/authorized_keys"
sshd_ignore_rhosts: "yes"
sshd_rhosts_rsa_authentication: "no"
sshd_host_based_authentication: "no"
sshd_ignore_user_known_hosts: "no"
sshd_permit_empty_passwords: "no"
sshd_challenge_response_authentication: "no"
sshd_password_authentication: "no"
sshd_gss_api_authentication: "no"
sshd_gss_api_cleanup_credentials: "yes"
sshd_x11_forwarding: "yes"
sshd_x11_display_offset: "10"
sshd_print_motd: "no"
sshd_print_last_log: "yes"
sshd_tcp_keep_alive: "yes"
sshd_max_startups: "10:30:100"
sshd_banner: "none"
sshd_accept_env: "LANG LC_*"
sshd_subsystem: "sftp /usr/lib/openssh/sftp-server"
sshd_use_pam: "yes"
For the sake of this example let's assume you have a group called app and
you have a typical site.yml
file.
To use this role edit your site.yml
file to look something like this:
---
- name: "Configure app server(s)"
hosts: "app"
become: True
roles:
- { role: "nickjj.sshd", tags: "sshd" }
Let's say you want to white list only users belonging to the deploy
group, you
can do this by opening or creating group_vars/app.yml
which is located
relative to your inventory
directory and then make it look something like this:
---
sshd_allow_groups = ["deploy"]
Now you would run ansible-playbook -i inventory/hosts site.yml -t sshd
.
$ ansible-galaxy install nickjj.sshd
You can find it on the official Ansible Galaxy if you want to rate it.
MIT