Simple and secure openssh server configuration

defaults/main.yml

@@ -0,0 +1,7 @@
+# List of users for the 'AllowUsers' keyword
+sshd_allow_users:
+  - root
+
+# List of groups for the 'AllowGroups' keyword
+sshd_allow_groups:
+  - root

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted

readme.md

@@ -0,0 +1,20 @@
+OpenSSH Server
+==============
+
+Ansible role to configure the OpenSSH `ssh` server.
+
+
+Variables
+---------
+
+* `sshd_allow_users` (default `[root]`):
+  List of users for the `AllowUsers` keyword
+
+* `sshd_allow_groups` (default `[root]`):
+  List of groups for the `AllowGroups` keyword
+
+
+References
+----------
+
+* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)

tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Copy sshd configuration
+  template:
+    src: sshd_config
+    dest: '/etc/ssh/sshd_config'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+    validate: /usr/sbin/sshd -t -f %s
+
+
+- name: Remove unwanted host keys
+  file:
+    path: '/etc/ssh/ssh_host_{{ item }}_key'
+    state: absent
+  with_items:
+    - ecdsa
+    - rsa
+    - dsa
+- file:
+    path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
+    state: absent
+  with_items:
+    - ecdsa
+    - rsa
+    - dsa

templates/sshd_config

@@ -0,0 +1,75 @@
+# Networking
+Port 22
+
+TCPKeepAlive yes
+
+
+# Key exchange
+#KexAlgorithms curve25519-sha256@libssh.org,
+#              diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256@libssh.org
+
+
+# Server authentication
+Protocol 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Not available in openssh 6.7
+# HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
+
+# Client authentication
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+
+# User Authentication
+AllowUsers {{ sshd_allow_users|join(' ') }}
+AllowGroups {{ sshd_allow_groups|join(' ') }}
+PermitRootLogin without-password
+
+LoginGraceTime 120
+
+StrictModes yes
+
+# Not available in openssh 6.7
+# PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
+
+
+# Symmetric ciphers
+#Ciphers chacha20-poly1305@openssh.com,
+#        aes256-gcm@openssh.com,
+#        aes128-gcm@openssh.com,
+#        aes256-ctr,
+#        aes192-ctr,
+#        aes128-ctr
+Ciphers chacha20-poly1305@openssh.com
+
+
+# Message authentication codes
+#MACs hmac-sha2-512-etm@openssh.com,
+#     hmac-sha2-256-etm@openssh.com,
+#     hmac-ripemd160-etm@openssh.com,
+#     umac-128-etm@openssh.com,
+#     hmac-sha2-512,
+#     hmac-sha2-256,
+#     hmac-ripemd160,
+#     umac-128@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+PrintMotd no
+
+# sftp (required by ansible)
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+
+# ETC