ansible/ansible_role_sshd
1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
Code Issues Releases Activity

Make sure ssh is more secure and more customizable

Browse source
This commit is contained in:
L3D 2019-04-09 22:03:00 +02:00
parent a99b2ac6f4
commit 97847cc1d4
3 changed files with 47 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
defaults/main.yml
View file

@ -13,6 +13,12 @@ sshd_default_allowed_groups:
# Enable AllowUsers and AllowGroups options # Enable AllowUsers and AllowGroups options
restrict_allow_users: True restrict_allow_users: True
# Require ed25519 key
only_allow_ed25519: true
# Allow login with password? # Allow login with password?
sshd_password_authentication: 'no' # 'yes' or 'no' sshd_password_authentication: 'no' # 'yes' or 'no'
# Allow optional cryptho methods (NOT RECOMENDED)
generate_ecdsa_too: false
use_diffie-hellman-group-exchange-sha256: false

33
tasks/main.yml
View file

@ -29,6 +29,15 @@
notify: notify:
- restart ssh - restart ssh
- name: Generate new ecdsa ssh host key pair if necessary
become: yes
command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q
args:
chdir: '/etc/ssh/'
creates: 'ssh_host_ecdsa_key.pub'
notify:
- restart ssh
when: generate_ecdsa_too
- name: Generate new ed25519 ssh host key pair if necessary - name: Generate new ed25519 ssh host key pair if necessary
become: yes become: yes
@ -39,6 +48,18 @@
notify: notify:
- restart ssh - restart ssh
- name: Remove unwanted host keys
become: yes
file:
path: '/etc/ssh/ssh_host_{{ item }}_key'
state: absent
with_items:
- rsa
- dsa
notify:
- restart ssh
when: generate_ecdsa_too
- name: Remove unwanted host keys - name: Remove unwanted host keys
become: yes become: yes
file: file:
@ -50,6 +71,7 @@
- dsa - dsa
notify: notify:
- restart ssh - restart ssh
when: generate_ecdsa_too == false
- file: - file:
path: '/etc/ssh/ssh_host_{{ item }}_key.pub' path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
@ -61,4 +83,15 @@
- dsa - dsa
notify: notify:
- restart ssh - restart ssh
when: generate_ecdsa_too == false
- file:
path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
state: absent
become: yes
with_items:
- rsa
- dsa
notify:
- restart ssh
when: generate_ecdsa_too

10
templates/sshd_config
View file

@ -10,13 +10,16 @@ TCPKeepAlive yes
# Key exchange # Key exchange
#KexAlgorithms curve25519-sha256@libssh.org, #KexAlgorithms curve25519-sha256@libssh.org,
# diffie-hellman-group-exchange-sha256 # diffie-hellman-group-exchange-sha256
KexAlgorithms curve25519-sha256@libssh.org KexAlgorithms curve25519-sha256@libssh.org{%
if use_diffie-hellman-group-exchange-sha256 %},diffie-hellman-group-exchange-sha256{% endif %}
# Server authentication # Server authentication
Protocol 2 Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
{% if generate_ecdsa_too %}
HostKey /etc/ssh/ssh_host_ecdsa_key
{% endif %}
# Not available in openssh 6.7 # Not available in openssh 6.7
# HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
@ -43,7 +46,8 @@ LoginGraceTime 120
StrictModes yes StrictModes yes
# Not available in openssh 6.7 # Not available in openssh 6.7
# PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 {% if only_allow_ed25519 == false %}# {%
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
# Symmetric ciphers # Symmetric ciphers