Skip to content

Latest commit

 

History

History
121 lines (98 loc) · 3.47 KB

README.md

File metadata and controls

121 lines (98 loc) · 3.47 KB
Raw

Ansible Role - havlasme.security.sshd

Apache-2.0 license

An Ansible role to install and configure the SSHd service on Debian and Ubuntu running systemd.

  • Install or Update the OpenSSH via APT
  • Create, Update, and Delete a OpenSSH Conf File
  • (Optional) Delete the Small Moduli
  • Start and Enable the OpenSSH Service

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

# sshd package state ('present', 'latest') - 'absent' is not supported
# * 'present' ensures that the package is installed
# * 'latest' ensures that the latest version of the package is installed
sshd__state: 'present'
# should the sshd service start at boot? (using systemd)
sshd__enabled: true
# can ansible reload the sshd service? (using systemd)
sshd__ansible_reload: true
# can ansible restart the sshd service? (using systemd)
sshd__ansible_restart: true

# sshd listen port
sshd__port: [ '22' ]
# sshd listen ip
#sshd__listen_to: [ '0.0.0.0' ]
# ssh host key type
#sshd__host_key_type: [ 'ed25519', 'rsa', 'ecdsa' ]

# sshd conf list
#! template lookup is done by the `havlasme.ansible.template` plugin
sshd__conf:
## - dest: string
##   template: string | d(sshd__conf_template)
##   user: string | d('root')
##   group: string | d('root')
##   mode: string | d('0755')
##   backup: bool | d(false)
##   validate: bool | d(true)
##   state: enum('present', 'absent', 'directory') | d('present')
- dest: '/etc/ssh'
  state: 'directory'
- dest: '/etc/ssh/sshd_config.d'
  state: 'directory'
- dest: '/etc/ssh/sshd_config'
  template: 'etc/ssh/sshd_config.j2'
- dest: '/etc/ssh/sshd_config.d/20-defaults-daemon.conf'
  content: |-
    PrintMotd no
    PrintLastLog yes
    AcceptEnv {{ sshd__accept_env | d('LANG LC_*') }}
- dest: '/etc/ssh/sshd_config.d/40-defaults-authentication.conf'
  content: |-
    PubkeyAuthentication yes
    PasswordAuthentication yes
    KbdInteractiveAuthentication no
    UsePAM yes
    PermitRootLogin {{ sshd__permit_root_login | d('prohibit-password') }}
# sshd conf default template
sshd__conf_template: '_content_.j2'

# sshd moduli file
sshd__moduli_file: '/etc/ssh/moduli'
# sshd moduli minimal size
#sshd__moduli_minsize: 3071

etc/ssh/sshd_config.d/defaults-cryptography-policy.conf

# sshd cryptography policy ('infosec.mozilla.org', 'ssh-audit.com')
sshd__cryptography_policy: enum('infosec.mozilla.org', 'ssh-audit.com') | d('infosec.mozilla.org')
sshd__conf:
- dest: '/etc/ssh/sshd_config.d/20-defaults-cryptography-policy.conf'
  template: 'etc/ssh/sshd_config.d/defaults-cryptography-policy.conf.j2'
  cryptography_policy: 'ssh-audit.com'

Example Playbook

- hosts: 'all'

  tasks:
  - ansible.builtin.include_role:
      name: 'havlasme.security.sshd'
- hosts: 'all'

  tasks:
  - ansible.builtin.include_role:
      name: 'havlasme.security.sshd'
      tasks_from: 'configure'

License

Apache-2.0

Author Information

Created in 2024 by Tomáš Havlas.