ansible_role_sshd/defaults/main.yml

---
sshd:
  # set the ssh server port
  port: 22
  # ssh password authorisatuin (not recomended)
  password_authentication: false
  # should we disable not selected ssh key types?
  manage_key_types: true
  # choose ssh server allowed key types
  key_types:
    - ed25519
    # - rsa
    # - ecdsa
    # - dsa # (do not use!)

  key_algorithmus:
    - 'ssh-ed25519-cert-v01@openssh.com'
    - 'ssh-ed25519'
    # - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
    # - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
    # - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
    # - 'rsa-sha2-512-cert-v01@openssh.com'
    # - 'rsa-sha2-256-cert-v01@openssh.com'
    # - 'ssh-rsa-cert-v01@openssh.com'
    # - 'ecdsa-sha2-nistp521'
    # - 'ecdsa-sha2-nistp384'
    # - 'ecdsa-sha2-nistp256'
    # - 'rsa-sha2-512'
    # - 'rsa-sha2-256'
    # - 'ssh-rsa'

  kex_algorithmus:
    - 'curve25519-sha256@libssh.org'
    - 'diffie-hellman-group-exchange-sha256'
    # - 'diffie-hellman-group-exchange-sha1'
    # - 'diffie-hellman-group14-sha1'
    # - 'diffie-hellman-group1-sha1'

  ciphers:
    - 'chacha20-poly1305@openssh.com'
    - 'aes256-gcm@openssh.com'
    # - 'aes256-ctr'
    # - 'aes256-cbc'
    # - 'aes128-ctr'
    # - 'aes128-cbc'
  macs:
    - 'hmac-sha2-512-etm@openssh.com'
    - 'hmac-sha2-256-etm@openssh.com'
    # - 'hmac-sha2-512'
    # - 'hmac-sha2-256'
    # - 'hmac-ripemd160-etm@openssh.com'
    # - 'umac-128-etm@openssh.com'
    # - 'hmac-sha1'
  # Enable AllowUsers and AllowGroups options
  restrict_users: True
  allowed_users:
    - "root"
    - "ansible"
  restrict_groups: True
  allowed_groups:
    - "root"
    - "admins"
  xforwarding: True

#
### Forcing only ed25519 SSH keys
#only_allow_ed25519: true
#
## Allow login with password?
#
### Allow optional cryptho methods (NOT RECOMENDED)
#generate_ecdsa_too: false
#use_diffie_hellman_group_exchange_sha256: false
#u#se_aes256_ctr: false
#u#se_hmac_sha2_512: false
###
#do_not_delete_legacy_ssh_keys: true

# perform simple version check for this role? (true is recomended)
submodules_versioncheck: false
Optionally disable Allow[Users,Groups] options 2018-08-26 17:25:12 +02:00			`---`
start rewrite default variables 2020-03-17 15:25:04 +01:00			`sshd:`
			`# set the ssh server port`
			`port: 22`
			`# ssh password authorisatuin (not recomended)`
			`password_authentication: false`
			`# should we disable not selected ssh key types?`
			`manage_key_types: true`
			`# choose ssh server allowed key types`
			`key_types:`
			`- ed25519`
			`# - rsa`
			`# - ecdsa`
			`# - dsa # (do not use!)`

update cypher and hostkeys 2020-03-17 18:47:15 +01:00			`key_algorithmus:`
			`- 'ssh-ed25519-cert-v01@openssh.com'`
			`- 'ssh-ed25519'`
			`# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'`
			`# - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'`
			`# - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'`
			`# - 'rsa-sha2-512-cert-v01@openssh.com'`
			`# - 'rsa-sha2-256-cert-v01@openssh.com'`
			`# - 'ssh-rsa-cert-v01@openssh.com'`
			`# - 'ecdsa-sha2-nistp521'`
			`# - 'ecdsa-sha2-nistp384'`
			`# - 'ecdsa-sha2-nistp256'`
			`# - 'rsa-sha2-512'`
			`# - 'rsa-sha2-256'`
			`# - 'ssh-rsa'`

update cipher and mac 2020-03-17 17:25:08 +01:00			`kex_algorithmus:`
			`- 'curve25519-sha256@libssh.org'`
			`- 'diffie-hellman-group-exchange-sha256'`
			`# - 'diffie-hellman-group-exchange-sha1'`
			`# - 'diffie-hellman-group14-sha1'`
			`# - 'diffie-hellman-group1-sha1'`
start rewrite default variables 2020-03-17 15:25:04 +01:00
update cipher and mac 2020-03-17 17:25:08 +01:00			`ciphers:`
			`- 'chacha20-poly1305@openssh.com'`
			`- 'aes256-gcm@openssh.com'`
			`# - 'aes256-ctr'`
			`# - 'aes256-cbc'`
			`# - 'aes128-ctr'`
			`# - 'aes128-cbc'`
			`macs:`
			`- 'hmac-sha2-512-etm@openssh.com'`
			`- 'hmac-sha2-256-etm@openssh.com'`
			`# - 'hmac-sha2-512'`
			`# - 'hmac-sha2-256'`
			`# - 'hmac-ripemd160-etm@openssh.com'`
			`# - 'umac-128-etm@openssh.com'`
			`# - 'hmac-sha1'`
creating users + groups auth 2020-03-18 11:30:48 +01:00			`# Enable AllowUsers and AllowGroups options`
			`restrict_users: True`
			`allowed_users:`
			`- "root"`
			`- "ansible"`
			`restrict_groups: True`
			`allowed_groups:`
			`- "root"`
			`- "admins"`
improve support for ssh host key types 2020-03-18 11:50:38 +01:00			`xforwarding: True`
start rewrite default variables 2020-03-17 15:25:04 +01:00
			`#`
			`### Forcing only ed25519 SSH keys`
			`#only_allow_ed25519: true`
			`#`
			`## Allow login with password?`
			`#`
			`### Allow optional cryptho methods (NOT RECOMENDED)`
			`#generate_ecdsa_too: false`
			`#use_diffie_hellman_group_exchange_sha256: false`
			`#u#se_aes256_ctr: false`
			`#u#se_hmac_sha2_512: false`
			`###`
			`#do_not_delete_legacy_ssh_keys: true`

			`# perform simple version check for this role? (true is recomended)`
			`submodules_versioncheck: false`