ansible_role_sshd/defaults/main.yml

---
sshd:
  # set the ssh server port
  port: 22
  # ssh password authorisatuin (not recomended)
  password_authentication: false
  # should we disable not selected ssh key types?
  manage_key_types: true
  # choose ssh server allowed key types
  key_types:
    - ed25519
    # - rsa
    # - ecdsa
    # - dsa # (do not use!)

  kex_algorithmus:
    - 'curve25519-sha256@libssh.org'
    - 'diffie-hellman-group-exchange-sha256'
    # - 'diffie-hellman-group-exchange-sha1'
    # - 'diffie-hellman-group14-sha1'
    # - 'diffie-hellman-group1-sha1'

  ciphers:
    - 'chacha20-poly1305@openssh.com'
    - 'aes256-gcm@openssh.com'
    # - 'aes256-ctr'
    # - 'aes256-cbc'
    # - 'aes128-ctr'
    # - 'aes128-cbc'
  macs:
    - 'hmac-sha2-512-etm@openssh.com'
    - 'hmac-sha2-256-etm@openssh.com'
    # - 'hmac-sha2-512'
    # - 'hmac-sha2-256'
    # - 'hmac-ripemd160-etm@openssh.com'
    # - 'umac-128-etm@openssh.com'
    # - 'hmac-sha1'


#
# default users for SSH access
#sshd_default_allowed_users:
#  - "root"
#  - "ansible"
#
## don't forget to add the ssh_access group!
#sshd_default_allowed_groups:
#  - "root"
#  - "admins"
##
## Enable AllowUsers and AllowGroups options
#restrict_allow_users: True
#
### Forcing only ed25519 SSH keys
#only_allow_ed25519: true
#
## Allow login with password?
#
### Allow optional cryptho methods (NOT RECOMENDED)
#generate_ecdsa_too: false
#use_diffie_hellman_group_exchange_sha256: false
#u#se_aes256_ctr: false
#u#se_hmac_sha2_512: false
###
#do_not_delete_legacy_ssh_keys: true

# perform simple version check for this role? (true is recomended)
submodules_versioncheck: false
Optionally disable Allow[Users,Groups] options 2018-08-26 17:25:12 +02:00			`---`
start rewrite default variables 2020-03-17 15:25:04 +01:00			`sshd:`
			`# set the ssh server port`
			`port: 22`
			`# ssh password authorisatuin (not recomended)`
			`password_authentication: false`
			`# should we disable not selected ssh key types?`
			`manage_key_types: true`
			`# choose ssh server allowed key types`
			`key_types:`
			`- ed25519`
			`# - rsa`
			`# - ecdsa`
			`# - dsa # (do not use!)`

update cipher and mac 2020-03-17 17:25:08 +01:00			`kex_algorithmus:`
			`- 'curve25519-sha256@libssh.org'`
			`- 'diffie-hellman-group-exchange-sha256'`
			`# - 'diffie-hellman-group-exchange-sha1'`
			`# - 'diffie-hellman-group14-sha1'`
			`# - 'diffie-hellman-group1-sha1'`
start rewrite default variables 2020-03-17 15:25:04 +01:00
update cipher and mac 2020-03-17 17:25:08 +01:00			`ciphers:`
			`- 'chacha20-poly1305@openssh.com'`
			`- 'aes256-gcm@openssh.com'`
			`# - 'aes256-ctr'`
			`# - 'aes256-cbc'`
			`# - 'aes128-ctr'`
			`# - 'aes128-cbc'`
			`macs:`
			`- 'hmac-sha2-512-etm@openssh.com'`
			`- 'hmac-sha2-256-etm@openssh.com'`
			`# - 'hmac-sha2-512'`
			`# - 'hmac-sha2-256'`
			`# - 'hmac-ripemd160-etm@openssh.com'`
			`# - 'umac-128-etm@openssh.com'`
			`# - 'hmac-sha1'`
start rewrite default variables 2020-03-17 15:25:04 +01:00
update cipher and mac 2020-03-17 17:25:08 +01:00


			`#`
			`# default users for SSH access`
start rewrite default variables 2020-03-17 15:25:04 +01:00			`#sshd_default_allowed_users:`
			`# - "root"`
			`# - "ansible"`
			`#`
			`## don't forget to add the ssh_access group!`
			`#sshd_default_allowed_groups:`
			`# - "root"`
			`# - "admins"`
			`##`
			`## Enable AllowUsers and AllowGroups options`
			`#restrict_allow_users: True`
			`#`
			`### Forcing only ed25519 SSH keys`
			`#only_allow_ed25519: true`
			`#`
			`## Allow login with password?`
			`#`
			`### Allow optional cryptho methods (NOT RECOMENDED)`
			`#generate_ecdsa_too: false`
			`#use_diffie_hellman_group_exchange_sha256: false`
			`#u#se_aes256_ctr: false`
			`#u#se_hmac_sha2_512: false`
			`###`
			`#do_not_delete_legacy_ssh_keys: true`

			`# perform simple version check for this role? (true is recomended)`
			`submodules_versioncheck: false`