2018-08-26 17:25:12 +02:00
|
|
|
---
|
2020-09-21 14:51:37 +02:00
|
|
|
# enable option if know that your ssh-server version is over 8.0
|
|
|
|
# sshd__version_is_above_eight: true
|
|
|
|
|
2020-08-04 15:07:02 +02:00
|
|
|
# set the ssh server port
|
|
|
|
sshd__port: 22
|
2020-03-17 15:25:04 +01:00
|
|
|
# ssh password authorisatuin (not recomended)
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__password_authentication: false
|
2020-03-17 15:25:04 +01:00
|
|
|
# should we disable not selected ssh key types?
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__manage_key_types: true
|
2020-03-17 15:25:04 +01:00
|
|
|
# choose ssh server allowed key types
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__key_types:
|
|
|
|
- 'ed25519'
|
|
|
|
# - 'rsa'
|
|
|
|
# - 'ecdsa'
|
|
|
|
# - 'dsa' # (do not use!)
|
2020-03-17 15:25:04 +01:00
|
|
|
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__key_algorithmus:
|
|
|
|
- 'ssh-ed25519-cert-v01@openssh.com'
|
|
|
|
- 'ssh-ed25519'
|
2020-12-15 21:32:54 +01:00
|
|
|
- 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
|
|
|
- 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
|
|
|
|
- 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
|
2020-08-04 15:07:02 +02:00
|
|
|
# - 'rsa-sha2-512-cert-v01@openssh.com'
|
|
|
|
# - 'rsa-sha2-256-cert-v01@openssh.com'
|
|
|
|
# - 'ssh-rsa-cert-v01@openssh.com'
|
|
|
|
# - 'ecdsa-sha2-nistp521'
|
|
|
|
# - 'ecdsa-sha2-nistp384'
|
|
|
|
# - 'ecdsa-sha2-nistp256'
|
|
|
|
# - 'rsa-sha2-512'
|
|
|
|
# - 'rsa-sha2-256'
|
|
|
|
# - 'ssh-rsa'
|
2020-03-17 18:47:15 +01:00
|
|
|
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__kex_algorithmus:
|
|
|
|
- 'curve25519-sha256@libssh.org'
|
|
|
|
- 'diffie-hellman-group-exchange-sha256'
|
2020-12-15 21:32:54 +01:00
|
|
|
- 'diffie-hellman-group-exchange-sha1'
|
2020-08-04 15:07:02 +02:00
|
|
|
# - 'diffie-hellman-group14-sha1'
|
|
|
|
# - 'diffie-hellman-group1-sha1'
|
2020-03-17 15:25:04 +01:00
|
|
|
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__ciphers:
|
|
|
|
- 'chacha20-poly1305@openssh.com'
|
|
|
|
- 'aes256-gcm@openssh.com'
|
2020-12-15 21:32:54 +01:00
|
|
|
- 'aes256-ctr'
|
2020-08-04 15:07:02 +02:00
|
|
|
# - 'aes256-cbc'
|
|
|
|
# - 'aes128-ctr'
|
|
|
|
# - 'aes128-cbc'
|
2020-03-17 15:25:04 +01:00
|
|
|
|
2020-08-04 15:07:02 +02:00
|
|
|
sshd__macs:
|
|
|
|
- 'hmac-sha2-512-etm@openssh.com'
|
|
|
|
- 'hmac-sha2-256-etm@openssh.com'
|
2020-12-15 21:32:54 +01:00
|
|
|
- 'hmac-sha2-512'
|
2020-08-04 15:07:02 +02:00
|
|
|
# - 'hmac-sha2-256'
|
|
|
|
# - 'hmac-ripemd160-etm@openssh.com'
|
|
|
|
# - 'umac-128-etm@openssh.com'
|
|
|
|
# - 'hmac-sha1'
|
|
|
|
|
|
|
|
# Enable AllowUsers and AllowGroups options
|
|
|
|
sshd__restrict_users: True
|
|
|
|
sshd__allowed_users:
|
|
|
|
- "root"
|
|
|
|
- "ansible"
|
|
|
|
sshd__restrict_groups: True
|
|
|
|
sshd__allowed_groups:
|
|
|
|
- "root"
|
|
|
|
- "admins"
|
|
|
|
sshd__xforwarding: True
|
2020-03-17 15:25:04 +01:00
|
|
|
|
2020-08-05 15:22:13 +02:00
|
|
|
sshd__state: present # use latest for upgrading
|
|
|
|
|
2020-03-17 15:25:04 +01:00
|
|
|
# perform simple version check for this role? (true is recomended)
|
|
|
|
submodules_versioncheck: false
|