--- # enable option if know that your ssh-server version is over 8.0 # sshd__version_is_above_eight: true # define users for ssh whitelist users: {} # l3d: # - l3d # ottojo: # - ottojo@uni # - ottojo@home # set the ssh server port sshd__port: 22 # ssh password authorisatuin (not recomended) sshd__password_authentication: false # should we disable not selected ssh key types? sshd__manage_key_types: true # choose ssh server allowed key types sshd__key_types: - 'ed25519' # - 'rsa' # - 'ecdsa' # - 'dsa' # (do not use!) sshd__manage_key_algorithmus: true sshd__key_algorithmus: - 'ssh-ed25519-cert-v01@openssh.com' - 'ssh-ed25519' - 'ecdsa-sha2-nistp521-cert-v01@openssh.com' - 'ecdsa-sha2-nistp384-cert-v01@openssh.com' - 'ecdsa-sha2-nistp256-cert-v01@openssh.com' # - 'rsa-sha2-512-cert-v01@openssh.com' # - 'rsa-sha2-256-cert-v01@openssh.com' # - 'ssh-rsa-cert-v01@openssh.com' # - 'ecdsa-sha2-nistp521' # - 'ecdsa-sha2-nistp384' # - 'ecdsa-sha2-nistp256' # - 'rsa-sha2-512' # - 'rsa-sha2-256' # - 'ssh-rsa' sshd__manage_kex_algorithmus: true sshd__kex_algorithmus: - 'curve25519-sha256@libssh.org' - 'diffie-hellman-group-exchange-sha256' - 'diffie-hellman-group-exchange-sha1' # - 'diffie-hellman-group14-sha1' # - 'diffie-hellman-group1-sha1' sshd__manage_ciphers: true sshd__ciphers: - 'chacha20-poly1305@openssh.com' - 'aes256-gcm@openssh.com' - 'aes256-ctr' # - 'aes256-cbc' # - 'aes128-ctr' # - 'aes128-cbc' sshd__manage_macs: true sshd__macs: - 'hmac-sha2-512-etm@openssh.com' - 'hmac-sha2-256-etm@openssh.com' - 'hmac-sha2-512' # - 'hmac-sha2-256' # - 'hmac-ripemd160-etm@openssh.com' # - 'umac-128-etm@openssh.com' # - 'hmac-sha1' # Enable AllowUsers and AllowGroups options sshd__restrict_users: true sshd__allowed_users: - "root" - "ansible" sshd__restrict_groups: true sshd__allowed_groups: - "root" - "admins" sshd__xforwarding: true sshd__state: present # use latest for upgrading # perform simple version check for this role? (true is recomended) submodules_versioncheck: false