1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
Ansible role to configure and secure sshd and optional add a whitelist for users, groups and ssh keys.
Find a file
2021-04-11 17:23:02 +02:00
.github Add galaxy icon and link 2021-03-13 23:54:41 +01:00
defaults add users to default 2021-03-12 14:36:27 +01:00
handlers start adding github actions and improve meta 2021-03-11 00:17:05 +01:00
meta start adding github actions and improve meta 2021-03-11 00:17:05 +01:00
tasks increase version and migrate tasks to new naming scheme 2021-03-14 00:03:37 +01:00
templates template improvement? 2020-12-17 00:39:20 +01:00
vars increase version and migrate tasks to new naming scheme 2021-03-14 00:03:37 +01:00
.gitignore create yamllint 2021-03-11 00:21:58 +01:00
.yamllint create yamllint 2021-03-11 00:21:58 +01:00
LICENCE Improve LICENCE Text 2019-05-29 11:01:25 +02:00
README.md Fixed typo 2021-04-11 17:23:02 +02:00

Ansible Galaxy MIT License

OpenSSH Server

Ansible role to configure the OpenSSH Server SSHD. The main goal of this role is to manage the sshd.conf file. And some additional parts like deploying the defined ssh host keys at the configured path.

Pro Tipp

Use Eliptic cureve cryptografie for your ssh keys:

ssh-keygen -t ed25519

The default values of this role will only allow ed25519 keys. But you can change that obviously if you like.

combinations

It is highly recomended to use this role together with a role to manage users and to manage the sshd configuration.
The following roles are tested in combination and work well - at least for the user DO1JLR:

Some Variables explained

Remember: Have a look into defaults/main.yml for all possible variables.

  • SSH Port
    The OpenSSH Port is defined with the variable sshd__port: 22. Change it if you wish.

  • Allowed Users and Groups
    The default users that are allowd to login come from the users: {} list.
    The same users: {} variable is used in the other recomended ssh roles.
    A example to allow the login for the users and groups called l3d and ottojo are:

users:
  l3d:
    - l3d
  ottojo:
   - ottojo@uni
   - ottojo@home
  • SSH Login via Passwort
    The SSH Passwort auth is set to false via sshd__password_authentication: false. This won't allow you to use your passwort to login via SSH.

  • Manage SSH Key Types
    By default this role configure which ssh key types are allowed to login. If you don't want to define that change the sshd__manage_key_types: true variable.

  • Define allowed ssh key types
    The allowed SSH Key Types are defined with this list. Some of them are commented out.
    Please not that by defualt only ed25519 keys are allowed. Keep that in mind if you are using a rsa key.

  sshd__key_types:
  - 'ed25519'
  # - 'rsa'
  # - 'ecdsa'
  # - 'dsa' # (do not use!)
  • Advanced SSH Algorithm Settings
    You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables sshd__key_algorithmus and sshd__kex_algorithmus have a look into defaults/main.yml.

  • force new SSH Features
    If you know that you use a ssh version >8 you can optionally define it with true/false with the sshd__version_is_above_eight variable.

Files

The main task of this role is to configure the sshd.conf file.

References

Testing

This role is tested with some linting tests. Sadly I don't know how to run this role in a docker container because systemd is involved... If you have ideas how to improve testing please dend me a message, open a issue or Pull Request. If you want to find out more about our tests, please have a look at the github marketplace.

test status Github Marketplace
Galaxy release publish-ansible-role-to-galaxy
Yamllint GitHub Actions yamllint-github-action
Ansible Lint check ansible-lint action