From 734cd4d2349cce9cb8a68d262f13b8942eb91f26 Mon Sep 17 00:00:00 2001 From: Lilian Roller Date: Wed, 15 May 2019 12:37:25 +0200 Subject: [PATCH] Improve documentation --- README.md | 42 +++++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 29582d5..a70ed28 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -OpenSSH Server + OpenSSH Server ============== Ansible role to configure the OpenSSH `ssh` server. @@ -8,14 +8,30 @@ ssh-keygen -t ed25519 ``` -Variables ---------- + Some Variables explained +------------------------------ +**Remember:** Have a look into ``defaults/main.yml`` for all possible variables. -* `restrict_allow_users`: enable the `AllowUsers` and `AllowGroups` options. +```bash +restrict_allow_users: True +``` +With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else. +The default ddh groups are ``admins`` and ``root`` -+ `users`: which user is allowed to login. +```bash +only_allow_ed25519: true +``` +Force ssh to deny all ssh keys except for eliptic curve ed25519 keys. -Example config: +```bash +sshd_password_authentication: 'no' +``` +Change the string from 'no' to 'yes' if you want to log in with a password (not recomended). + +There are some other cryptographic algorythmen you could enable... + +### Important part: +Define the users (and optional their ssh keys) for the ssh config template: ```bash users: l3d: @@ -24,15 +40,23 @@ users: - ottojo@uni - ottojo@home ``` -*have a look into defaults/main.yml foraditionally informations!* +-> This means l3d and ottojo are able to login. -Files + + + Files ----- * `sshd.conf`: -References + References ---------- * [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html) + + Don't forget: +-------------- + + This role will not deploy or touch any ssh public keys. There are other roles to do that. + + Be carefull if you don't have a eliptic curve ed25519 key. ``only_allow_ed25519: true`` is the default option. + * If you really have to deal with RSA Keys or simmilar, you should think about a backup ed25519 ssh key. Better a backup than beeing locked out!