mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
87 lines
2 KiB
YAML
87 lines
2 KiB
YAML
---
|
|
# enable option if know that your ssh-server version is over 8.0
|
|
# sshd__version_is_above_eight: true
|
|
|
|
# define users for ssh whitelist
|
|
users: {}
|
|
# l3d:
|
|
# - l3d
|
|
# ottojo:
|
|
# - ottojo@uni
|
|
# - ottojo@home
|
|
|
|
# set the ssh server port
|
|
sshd__port: 22
|
|
|
|
# ssh password authorisatuin (not recomended)
|
|
sshd__password_authentication: false
|
|
|
|
# should we disable not selected ssh key types?
|
|
sshd__manage_key_types: true
|
|
|
|
# choose ssh server allowed key types
|
|
sshd__key_types:
|
|
- 'ed25519'
|
|
# - 'rsa'
|
|
# - 'ecdsa'
|
|
# - 'dsa' # (do not use!)
|
|
|
|
sshd__manage_key_algorithmus: true
|
|
sshd__key_algorithmus:
|
|
- 'ssh-ed25519-cert-v01@openssh.com'
|
|
- 'ssh-ed25519'
|
|
- 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
|
- 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
|
|
- 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
|
|
# - 'rsa-sha2-512-cert-v01@openssh.com'
|
|
# - 'rsa-sha2-256-cert-v01@openssh.com'
|
|
# - 'ssh-rsa-cert-v01@openssh.com'
|
|
# - 'ecdsa-sha2-nistp521'
|
|
# - 'ecdsa-sha2-nistp384'
|
|
# - 'ecdsa-sha2-nistp256'
|
|
# - 'rsa-sha2-512'
|
|
# - 'rsa-sha2-256'
|
|
# - 'ssh-rsa'
|
|
|
|
sshd__manage_kex_algorithmus: true
|
|
sshd__kex_algorithmus:
|
|
- 'curve25519-sha256@libssh.org'
|
|
- 'diffie-hellman-group-exchange-sha256'
|
|
- 'diffie-hellman-group-exchange-sha1'
|
|
# - 'diffie-hellman-group14-sha1'
|
|
# - 'diffie-hellman-group1-sha1'
|
|
|
|
sshd__manage_ciphers: true
|
|
sshd__ciphers:
|
|
- 'chacha20-poly1305@openssh.com'
|
|
- 'aes256-gcm@openssh.com'
|
|
- 'aes256-ctr'
|
|
# - 'aes256-cbc'
|
|
# - 'aes128-ctr'
|
|
# - 'aes128-cbc'
|
|
|
|
sshd__manage_macs: true
|
|
sshd__macs:
|
|
- 'hmac-sha2-512-etm@openssh.com'
|
|
- 'hmac-sha2-256-etm@openssh.com'
|
|
- 'hmac-sha2-512'
|
|
# - 'hmac-sha2-256'
|
|
# - 'hmac-ripemd160-etm@openssh.com'
|
|
# - 'umac-128-etm@openssh.com'
|
|
# - 'hmac-sha1'
|
|
|
|
# Enable AllowUsers and AllowGroups options
|
|
sshd__restrict_users: true
|
|
sshd__allowed_users:
|
|
- "root"
|
|
- "ansible"
|
|
sshd__restrict_groups: true
|
|
sshd__allowed_groups:
|
|
- "root"
|
|
- "admins"
|
|
sshd__xforwarding: true
|
|
|
|
sshd__state: present # use latest for upgrading
|
|
|
|
# perform simple version check for this role? (true is recomended)
|
|
submodules_versioncheck: false
|