1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00

Improve documentation

This commit is contained in:
Lilian Roller 2019-05-15 12:37:25 +02:00
parent b973ce9e37
commit 734cd4d234
No known key found for this signature in database
GPG key ID: 5215C3441797AB2B

View file

@ -1,4 +1,4 @@
OpenSSH Server OpenSSH Server
============== ==============
Ansible role to configure the OpenSSH `ssh` server. Ansible role to configure the OpenSSH `ssh` server.
@ -8,14 +8,30 @@ ssh-keygen -t ed25519
``` ```
Variables Some Variables explained
--------- ------------------------------
**Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
* `restrict_allow_users`: enable the `AllowUsers` and `AllowGroups` options. ```bash
restrict_allow_users: True
```
With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else.
The default ddh groups are ``admins`` and ``root``
+ `users`: which user is allowed to login. ```bash
only_allow_ed25519: true
```
Force ssh to deny all ssh keys except for eliptic curve ed25519 keys.
Example config: ```bash
sshd_password_authentication: 'no'
```
Change the string from 'no' to 'yes' if you want to log in with a password (not recomended).
There are some other cryptographic algorythmen you could enable...
### Important part:
Define the users (and optional their ssh keys) for the ssh config template:
```bash ```bash
users: users:
l3d: l3d:
@ -24,15 +40,23 @@ users:
- ottojo@uni - ottojo@uni
- ottojo@home - ottojo@home
``` ```
*have a look into defaults/main.yml foraditionally informations!* -> This means l3d and ottojo are able to login.
Files
Files
----- -----
* `sshd.conf`: * `sshd.conf`:
References References
---------- ----------
* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html) * [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
Don't forget:
--------------
+ This role will not deploy or touch any ssh public keys. There are other roles to do that.
+ Be carefull if you don't have a eliptic curve ed25519 key. ``only_allow_ed25519: true`` is the default option.
* If you really have to deal with RSA Keys or simmilar, you should think about a backup ed25519 ssh key. Better a backup than beeing locked out!