2019-05-15 12:37:25 +02:00
|
|
|
OpenSSH Server
|
2018-03-07 03:28:23 +01:00
|
|
|
==============
|
|
|
|
|
|
|
|
Ansible role to configure the OpenSSH `ssh` server.
|
2018-11-12 21:37:43 +01:00
|
|
|
Use Eliptic cureve cryptografie for your ssh keys e.g.:
|
|
|
|
```bash
|
|
|
|
ssh-keygen -t ed25519
|
|
|
|
```
|
2018-03-07 03:28:23 +01:00
|
|
|
|
|
|
|
|
2019-05-15 12:37:25 +02:00
|
|
|
Some Variables explained
|
|
|
|
------------------------------
|
|
|
|
**Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
|
2018-03-07 03:28:23 +01:00
|
|
|
|
2019-05-15 12:37:25 +02:00
|
|
|
```bash
|
|
|
|
restrict_allow_users: True
|
|
|
|
```
|
|
|
|
With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else.
|
|
|
|
The default ddh groups are ``admins`` and ``root``
|
2018-08-26 17:25:12 +02:00
|
|
|
|
2019-05-15 12:37:25 +02:00
|
|
|
```bash
|
|
|
|
only_allow_ed25519: true
|
|
|
|
```
|
|
|
|
Force ssh to deny all ssh keys except for eliptic curve ed25519 keys.
|
2018-11-12 21:37:43 +01:00
|
|
|
|
2019-05-15 12:37:25 +02:00
|
|
|
```bash
|
|
|
|
sshd_password_authentication: 'no'
|
|
|
|
```
|
|
|
|
Change the string from 'no' to 'yes' if you want to log in with a password (not recomended).
|
|
|
|
|
|
|
|
There are some other cryptographic algorythmen you could enable...
|
|
|
|
|
|
|
|
### Important part:
|
|
|
|
Define the users (and optional their ssh keys) for the ssh config template:
|
2018-11-12 21:37:43 +01:00
|
|
|
```bash
|
|
|
|
users:
|
|
|
|
l3d:
|
|
|
|
- l3d
|
|
|
|
ottojo:
|
|
|
|
- ottojo@uni
|
|
|
|
- ottojo@home
|
|
|
|
```
|
2019-05-15 12:37:25 +02:00
|
|
|
-> This means l3d and ottojo are able to login.
|
|
|
|
|
2018-03-07 03:28:23 +01:00
|
|
|
|
2019-05-15 12:37:25 +02:00
|
|
|
|
|
|
|
Files
|
2018-03-16 04:54:02 +01:00
|
|
|
-----
|
|
|
|
|
|
|
|
* `sshd.conf`:
|
|
|
|
|
|
|
|
|
2019-05-15 12:37:25 +02:00
|
|
|
References
|
2018-03-07 03:28:23 +01:00
|
|
|
----------
|
|
|
|
|
|
|
|
* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
|
2019-05-15 12:37:25 +02:00
|
|
|
|
|
|
|
Don't forget:
|
|
|
|
--------------
|
|
|
|
+ This role will not deploy or touch any ssh public keys. There are other roles to do that.
|
|
|
|
+ Be carefull if you don't have a eliptic curve ed25519 key. ``only_allow_ed25519: true`` is the default option.
|
|
|
|
* If you really have to deal with RSA Keys or simmilar, you should think about a backup ed25519 ssh key. Better a backup than beeing locked out!
|