1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00

improve support for ssh host key types

This commit is contained in:
Lilian Roller 2020-03-18 11:50:38 +01:00
parent 025ebcec25
commit 9768133a23
No known key found for this signature in database
GPG key ID: 5215C3441797AB2B
4 changed files with 21 additions and 27 deletions

View file

@ -60,6 +60,7 @@ sshd:
allowed_groups: allowed_groups:
- "root" - "root"
- "admins" - "admins"
xforwarding: True
# #
### Forcing only ed25519 SSH keys ### Forcing only ed25519 SSH keys

View file

@ -31,31 +31,20 @@
backup: yes backup: yes
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh
- name: Generate new ssh host key pair if necessary
become: yes
command: ssh-keygen -t ecdsa -f 'ssh_host_{{ item }}_key' -P '' -q
args:
chdir: '/etc/ssh/'
creates: 'ssh_host_{{ item }}_key.pub'
notify:
- systemctrl restart ssh
with_items: "{{ sshd.key_types }}"
when:
- sshd.manage_key_types | bool
- pause: - pause:
- name: Generate new ecdsa ssh host key pair if necessary
become: yes
command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q
args:
chdir: '/etc/ssh/'
creates: 'ssh_host_ecdsa_key.pub'
notify:
- systemctrl restart ssh
when:
- generate_ecdsa_too | bool
- name: Generate new ed25519 ssh host key pair if necessary
become: yes
command: ssh-keygen -t ed25519 -f 'ssh_host_ed25519_key' -P '' -q
args:
chdir: '/etc/ssh/'
creates: 'ssh_host_ed25519_key.pub'
notify:
- systemctrl restart ssh
when:
- ansible_distribution_release != 'wheezy'
- name: Remove unwanted host keys - name: Remove unwanted host keys
become: yes become: yes
file: file:
@ -66,10 +55,6 @@
- dsa - dsa
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh
when:
- generate_ecdsa_too | bool
- ansible_distribution_release != 'wheezy'
- do_not_delete_legacy_ssh_keys | bool
- name: Remove unwanted host keys - name: Remove unwanted host keys
become: yes become: yes

View file

@ -58,6 +58,12 @@ PubkeyAuthentication yes
PermitRootLogin without-password PermitRootLogin without-password
LoginGraceTime 120 LoginGraceTime 120
StrictModes yes StrictModes yes
X11Forwarding
{%- if sshd.xforwarding | bool -%}
{{ ' yes' }}
{% else -%}
{{ ' no' }}
{% endif %}
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication

View file

@ -1,2 +1,4 @@
--- ---
sshd_service: ssh sshd_service: ssh
sshd_xauth:
- xorg-xauth