Skip to content
This repository was archived by the owner on Nov 19, 2025. It is now read-only.

arillso/ansible.sshd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits
defaults
defaults
 
 
handlers
handlers
 
 
meta
meta
 
 
molecule/default
molecule/default
 
 
tasks
tasks
 
 
templates
templates
 
 
vars
vars
 
 
.travis.yml
.travis.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Ansible Role: sshd

Build Status license Ansible Galaxy Ansible Role

Description

This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the DevSec SSH Baseline.

Installation

ansible-galaxy install arillso.sshd

Requirements

None

Role Variables

ssh_ipv6_enable

true if IPv6 is needed

ssh_ipv6_enable: '{{ network_ipv6_enable | default(false) }}' # sshd + ssh

ssh_server_enabled

true if sshd should be started and enabled

ssh_server_enabled: true # sshd

ssh_use_dns

true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8

ssh_use_dns: false # sshd

ssh_compression

true or value if compression is needed

ssh_compression: false # sshd

ssh_hardening

For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.

ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd

ssh_client_password_login

If true, password login is allowed

ssh_client_password_login: false # ssh
ssh_server_password_login: false # sshd

ssh_server_ports

ports on which ssh-server should listen

ssh_server_ports: ['22'] # sshd

ssh_client_port

port to which ssh-client should connect

ssh_client_port: '22' # ssh

ssh_listen_to

one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!

ssh_listen_to: ['0.0.0.0'] # sshd

ssh_host_key_files

Host keys to look for when starting sshd.

ssh_host_key_files: [] # sshd

ssh_max_auth_retries

Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.

ssh_max_auth_retries: 2

ssh_client_alive_interval

ssh_client_alive_interval: 300 # sshd

ssh_client_alive_count

ssh_client_alive_count: 3 # sshd

ssh_permit_tunnel

Allow SSH Tunnels

ssh_permit_tunnel: false

ssh_remote_hosts

Hosts with custom options. # ssh

ssh_remote_hosts: []

# Example

ssh_remote_hosts:
  - names: ['example.com', 'example2.com']
    options: ['Port 2222', 'ForwardAgent yes']
  - names: ['example3.com']
    options: ['StrictHostKeyChecking no']

ssh_allow_root_with_key

Set this to "without-password" or "yes" to allow root to login

ssh_allow_root_with_key: 'no' # sshd

ssh_allow_tcp_forwarding

false to disable TCP Forwarding. Set to true to allow TCP Forwarding.

ssh_allow_tcp_forwarding: false # sshd

ssh_gateway_ports

false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.

Set to 'clientspecified' to allow the client to specify which address to bind to.

ssh_gateway_ports: false # sshd

ssh_allow_agent_forwarding

false to disable Agent Forwarding. Set to true to allow Agent Forwarding.

ssh_allow_agent_forwarding: false # sshd

ssh_pam_support

true if SSH has PAM support

ssh_pam_support: true

ssh_use_pam

false to disable pam authentication.

ssh_use_pam: false # sshd

ssh_google_auth

false to disable google 2fa authentication

ssh_google_auth: false # sshd

ssh_pam_device

false to disable pam device 2FA input

ssh_pam_device: false # sshd

ssh_gssapi_support

true if SSH support GSSAPI

ssh_gssapi_support: false

ssh_kerberos_support

true if SSH support Kerberos

ssh_kerberos_support: true

ssh_deny_users

if specified, login is disallowed for user names that match one of the patterns.

ssh_deny_users: '' # sshd

ssh_allow_users

if specified, login is allowed only for user names that match one of the patterns.

ssh_allow_users: '' # sshd

ssh_deny_groups

if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.

ssh_deny_groups: '' # sshd

ssh_allow_groups

if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.

ssh_allow_groups: '' # sshd

ssh_authorized_keys_file

change default file that contains the public keys that can be used for user authentication.

ssh_authorized_keys_file: '' # sshd

ssh_trusted_user_ca_keys_file

specifies the file containing trusted certificate authorities public keys used to sign user certificates.

ssh_trusted_user_ca_keys_file: '' # sshd

ssh_trusted_user_ca_keys

set the trusted certificate authorities public keys used to sign user certificates.

ssh_trusted_user_ca_keys: [] # sshd

Example

ssh_trusted_user_ca_keys:
  - 'ssh-rsa ... comment1'
  - 'ssh-rsa ... comment2'

ssh_authorized_principals_file

specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.

ssh_authorized_principals_file: '' # sshd

Example

ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'

%h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, the path is taken to be an absolute path or one relative to the user's home directory.

ssh_authorized_principals

list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.

ssh_authorized_principals: [] # sshd

Example

ssh_authorized_principals:
  - {
      path: '/etc/ssh/auth_principals/root',
      principals: ['root'],
      owner: '{{ ssh_owner }}',
      group: '{{ ssh_group }}',
      directoryowner: '{{ ssh_owner }}',
      directorygroup: '{{ ssh_group}}',
    }
  - {
      path: '/etc/ssh/auth_principals/myuser',
      principals: ['masteradmin', 'webserver'],
    }

ssh_print_motd

false to disable printing of the MOTD

ssh_print_motd: false # sshd

ssh_print_last_log

false to disable display of last login information

ssh_print_last_log: false # sshd

ssh_banner

false to disable serving /etc/ssh/banner.txt before authentication is allowed

ssh_banner: false # sshd

ssh_print_debian_banner

false to disable distribution version leakage during initial protocol handshake

ssh_print_debian_banner: false # sshd (Debian OS family only)

ssh_sftp_enabled

true to enable sftp configuration

ssh_sftp_enabled: '{{ sftp_enabled | default(false) }}'

ssh_sftp_chroot

false to disable sftp chroot

ssh_sftp_chroot: '{{ sftp_chroot | default(true) }}'

ssh_sftp_chroot_dir

change default sftp chroot location

ssh_sftp_chroot_dir: "{{ sftp_chroot_dir | default('/home/%u') }}"

ssh_client_roaming

enable experimental client roaming

ssh_client_roaming: false

ssh_server_match_user

list of hashes (containing user and rules) to generate Match User blocks for.

ssh_server_match_user: false # sshd

ssh_server_match_group

list of hashes (containing group and rules) to generate Match Group blocks for.

ssh_server_match_group: false # sshd

ssh_server_match_address

list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.

ssh_server_match_address: false # sshd

ssh_server_permit_environment_vars

ssh_server_permit_environment_vars: false

ssh_max_startups

maximum number of concurrent unauthenticated connections to the SSH daemon

ssh_max_startups: '10:30:100' # sshd

ssh_ps53

ssh_ps53: 'yes'

ssh_ps59

ssh_ps59: 'sandbox'

ssh_macs

ssh_macs: []

ssh_ciphers

ssh_ciphers: []

ssh_kex

ssh_kex: []

ssh_macs_53_default

ssh_macs_53_default:
  - hmac-ripemd160
  - hmac-sha1

ssh_macs_59_default

ssh_macs_59_default:
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

ssh_macs_66_default

ssh_macs_66_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

ssh_macs_76_default

ssh_macs_76_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

ssh_ciphers_53_default

ssh_ciphers_53_default:
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_ciphers_66_default

ssh_ciphers_66_default:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_kex_59_default

ssh_kex_59_default:
  - diffie-hellman-group-exchange-sha256

ssh_kex_66_default

ssh_kex_66_default:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

ssh_custom_selinux_dir

directory where to store ssh_password policy

ssh_custom_selinux_dir: '/etc/selinux/local-policies'

sshd_moduli_file: '/etc/ssh/moduli'
sshd_moduli_minimum: 2048

ssh_challengeresponseauthentication

disable ChallengeResponseAuthentication

ssh_challengeresponseauthentication: false

ssh_server_revoked_keys

a list of public keys that are never accepted by the ssh server

ssh_server_revoked_keys: []

ssh_hardening_enabled

Set to false to turn the role into a no-op. Useful when using the Ansible role dependency mechanism.

ssh_hardening_enabled: true

ssh_custom_options

Custom options for SSH client configuration file

ssh_custom_options: []

sshd_custom_options

Custom options for SSH daemon configuration file

sshd_custom_options: []

Dependencies

None

Example Playbook

- hosts: all
  roles:
    - arillso.sshd

Author

License

This project is under the MIT License. See the LICENSE file for the full license text.

Copyright

(c) 2019, Arilso

About

Ansible role to configure ssh.

Topics

ssh ansible ansible-role

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

11 stars

Watchers

1 watching

Forks

13 forks
Report repository

Releases 6

Version 2.2.3 Latest
Oct 5, 2020
+ 5 releases

Contributors 4

  •  
  •  
  •  
  •  

Languages