2018-08-26 17:25:12 +02:00
|
|
|
---
|
2020-03-17 15:25:04 +01:00
|
|
|
sshd:
|
|
|
|
# set the ssh server port
|
|
|
|
port: 22
|
|
|
|
# ssh password authorisatuin (not recomended)
|
|
|
|
password_authentication: false
|
|
|
|
# should we disable not selected ssh key types?
|
|
|
|
manage_key_types: true
|
|
|
|
# choose ssh server allowed key types
|
|
|
|
key_types:
|
|
|
|
- ed25519
|
|
|
|
# - rsa
|
|
|
|
# - ecdsa
|
|
|
|
# - dsa # (do not use!)
|
|
|
|
|
2020-03-17 18:47:15 +01:00
|
|
|
key_algorithmus:
|
|
|
|
- 'ssh-ed25519-cert-v01@openssh.com'
|
|
|
|
- 'ssh-ed25519'
|
|
|
|
# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
|
|
|
# - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
|
|
|
|
# - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
|
|
|
|
# - 'rsa-sha2-512-cert-v01@openssh.com'
|
|
|
|
# - 'rsa-sha2-256-cert-v01@openssh.com'
|
|
|
|
# - 'ssh-rsa-cert-v01@openssh.com'
|
|
|
|
# - 'ecdsa-sha2-nistp521'
|
|
|
|
# - 'ecdsa-sha2-nistp384'
|
|
|
|
# - 'ecdsa-sha2-nistp256'
|
|
|
|
# - 'rsa-sha2-512'
|
|
|
|
# - 'rsa-sha2-256'
|
|
|
|
# - 'ssh-rsa'
|
|
|
|
|
2020-03-17 17:25:08 +01:00
|
|
|
kex_algorithmus:
|
|
|
|
- 'curve25519-sha256@libssh.org'
|
|
|
|
- 'diffie-hellman-group-exchange-sha256'
|
|
|
|
# - 'diffie-hellman-group-exchange-sha1'
|
|
|
|
# - 'diffie-hellman-group14-sha1'
|
|
|
|
# - 'diffie-hellman-group1-sha1'
|
2020-03-17 15:25:04 +01:00
|
|
|
|
2020-03-17 17:25:08 +01:00
|
|
|
ciphers:
|
|
|
|
- 'chacha20-poly1305@openssh.com'
|
|
|
|
- 'aes256-gcm@openssh.com'
|
|
|
|
# - 'aes256-ctr'
|
|
|
|
# - 'aes256-cbc'
|
|
|
|
# - 'aes128-ctr'
|
|
|
|
# - 'aes128-cbc'
|
|
|
|
macs:
|
|
|
|
- 'hmac-sha2-512-etm@openssh.com'
|
|
|
|
- 'hmac-sha2-256-etm@openssh.com'
|
|
|
|
# - 'hmac-sha2-512'
|
|
|
|
# - 'hmac-sha2-256'
|
|
|
|
# - 'hmac-ripemd160-etm@openssh.com'
|
|
|
|
# - 'umac-128-etm@openssh.com'
|
|
|
|
# - 'hmac-sha1'
|
2020-03-17 15:25:04 +01:00
|
|
|
|
2020-03-17 17:25:08 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# default users for SSH access
|
2020-03-17 15:25:04 +01:00
|
|
|
#sshd_default_allowed_users:
|
|
|
|
# - "root"
|
|
|
|
# - "ansible"
|
|
|
|
#
|
|
|
|
## don't forget to add the ssh_access group!
|
|
|
|
#sshd_default_allowed_groups:
|
|
|
|
# - "root"
|
|
|
|
# - "admins"
|
|
|
|
##
|
|
|
|
## Enable AllowUsers and AllowGroups options
|
|
|
|
#restrict_allow_users: True
|
|
|
|
#
|
|
|
|
### Forcing only ed25519 SSH keys
|
|
|
|
#only_allow_ed25519: true
|
|
|
|
#
|
|
|
|
## Allow login with password?
|
|
|
|
#
|
|
|
|
### Allow optional cryptho methods (NOT RECOMENDED)
|
|
|
|
#generate_ecdsa_too: false
|
|
|
|
#use_diffie_hellman_group_exchange_sha256: false
|
|
|
|
#u#se_aes256_ctr: false
|
|
|
|
#u#se_hmac_sha2_512: false
|
|
|
|
###
|
|
|
|
#do_not_delete_legacy_ssh_keys: true
|
|
|
|
|
|
|
|
# perform simple version check for this role? (true is recomended)
|
|
|
|
submodules_versioncheck: false
|