mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
Make sure ssh is more secure and more customizable
This commit is contained in:
L3D
parent
a99b2ac6f4
commit
97847cc1d4
3 changed files with 47 additions and 4 deletions
|
|
@ -13,6 +13,12 @@ sshd_default_allowed_groups:
|
|||
# Enable AllowUsers and AllowGroups options
|
||||
restrict_allow_users: True
|
||||
|
||||
# Require ed25519 key
|
||||
only_allow_ed25519: true
|
||||
|
||||
# Allow login with password?
|
||||
sshd_password_authentication: 'no' # 'yes' or 'no'
|
||||
|
||||
# Allow optional cryptho methods (NOT RECOMENDED)
|
||||
generate_ecdsa_too: false
|
||||
use_diffie-hellman-group-exchange-sha256: false
|
||||
|
|
|
|||
|
|
@ -29,6 +29,15 @@
|
|||
notify:
|
||||
- restart ssh
|
||||
|
||||
- name: Generate new ecdsa ssh host key pair if necessary
|
||||
become: yes
|
||||
command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q
|
||||
args:
|
||||
chdir: '/etc/ssh/'
|
||||
creates: 'ssh_host_ecdsa_key.pub'
|
||||
notify:
|
||||
- restart ssh
|
||||
when: generate_ecdsa_too
|
||||
|
||||
- name: Generate new ed25519 ssh host key pair if necessary
|
||||
become: yes
|
||||
|
|
@ -39,6 +48,18 @@
|
|||
notify:
|
||||
- restart ssh
|
||||
|
||||
- name: Remove unwanted host keys
|
||||
become: yes
|
||||
file:
|
||||
path: '/etc/ssh/ssh_host_{{ item }}_key'
|
||||
state: absent
|
||||
with_items:
|
||||
- rsa
|
||||
- dsa
|
||||
notify:
|
||||
- restart ssh
|
||||
when: generate_ecdsa_too
|
||||
|
||||
- name: Remove unwanted host keys
|
||||
become: yes
|
||||
file:
|
||||
|
|
@ -50,6 +71,7 @@
|
|||
- dsa
|
||||
notify:
|
||||
- restart ssh
|
||||
when: generate_ecdsa_too == false
|
||||
|
||||
- file:
|
||||
path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
|
||||
|
|
@ -61,4 +83,15 @@
|
|||
- dsa
|
||||
notify:
|
||||
- restart ssh
|
||||
when: generate_ecdsa_too == false
|
||||
|
||||
- file:
|
||||
path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
|
||||
state: absent
|
||||
become: yes
|
||||
with_items:
|
||||
- rsa
|
||||
- dsa
|
||||
notify:
|
||||
- restart ssh
|
||||
when: generate_ecdsa_too
|
||||
|
|
|
|||
|
|
@ -10,13 +10,16 @@ TCPKeepAlive yes
|
|||
# Key exchange
|
||||
#KexAlgorithms curve25519-sha256@libssh.org,
|
||||
# diffie-hellman-group-exchange-sha256
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
KexAlgorithms curve25519-sha256@libssh.org{%
|
||||
if use_diffie-hellman-group-exchange-sha256 %},diffie-hellman-group-exchange-sha256{% endif %}
|
||||
|
||||
|
||||
# Server authentication
|
||||
Protocol 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
{% if generate_ecdsa_too %}
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
{% endif %}
|
||||
# Not available in openssh 6.7
|
||||
# HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
|
||||
|
||||
|
|
@ -43,7 +46,8 @@ LoginGraceTime 120
|
|||
StrictModes yes
|
||||
|
||||
# Not available in openssh 6.7
|
||||
# PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
|
||||
{% if only_allow_ed25519 == false %}# {%
|
||||
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
|
||||
|
||||
|
||||
# Symmetric ciphers
|
||||
|
|
|
|||
Loading…
Reference in a new issue