mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
80 lines
2 KiB
YAML
80 lines
2 KiB
YAML
---
|
|
sshd:
|
|
# set the ssh server port
|
|
port: 22
|
|
# ssh password authorisatuin (not recomended)
|
|
password_authentication: false
|
|
# should we disable not selected ssh key types?
|
|
manage_key_types: true
|
|
# choose ssh server allowed key types
|
|
key_types:
|
|
- ed25519
|
|
# - rsa
|
|
# - ecdsa
|
|
# - dsa # (do not use!)
|
|
|
|
key_algorithmus:
|
|
- 'ssh-ed25519-cert-v01@openssh.com'
|
|
- 'ssh-ed25519'
|
|
# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
|
# - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
|
|
# - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
|
|
# - 'rsa-sha2-512-cert-v01@openssh.com'
|
|
# - 'rsa-sha2-256-cert-v01@openssh.com'
|
|
# - 'ssh-rsa-cert-v01@openssh.com'
|
|
# - 'ecdsa-sha2-nistp521'
|
|
# - 'ecdsa-sha2-nistp384'
|
|
# - 'ecdsa-sha2-nistp256'
|
|
# - 'rsa-sha2-512'
|
|
# - 'rsa-sha2-256'
|
|
# - 'ssh-rsa'
|
|
|
|
kex_algorithmus:
|
|
- 'curve25519-sha256@libssh.org'
|
|
- 'diffie-hellman-group-exchange-sha256'
|
|
# - 'diffie-hellman-group-exchange-sha1'
|
|
# - 'diffie-hellman-group14-sha1'
|
|
# - 'diffie-hellman-group1-sha1'
|
|
|
|
ciphers:
|
|
- 'chacha20-poly1305@openssh.com'
|
|
- 'aes256-gcm@openssh.com'
|
|
# - 'aes256-ctr'
|
|
# - 'aes256-cbc'
|
|
# - 'aes128-ctr'
|
|
# - 'aes128-cbc'
|
|
macs:
|
|
- 'hmac-sha2-512-etm@openssh.com'
|
|
- 'hmac-sha2-256-etm@openssh.com'
|
|
# - 'hmac-sha2-512'
|
|
# - 'hmac-sha2-256'
|
|
# - 'hmac-ripemd160-etm@openssh.com'
|
|
# - 'umac-128-etm@openssh.com'
|
|
# - 'hmac-sha1'
|
|
# Enable AllowUsers and AllowGroups options
|
|
restrict_users: True
|
|
allowed_users:
|
|
- "root"
|
|
- "ansible"
|
|
restrict_groups: True
|
|
allowed_groups:
|
|
- "root"
|
|
- "admins"
|
|
xforwarding: True
|
|
|
|
#
|
|
### Forcing only ed25519 SSH keys
|
|
#only_allow_ed25519: true
|
|
#
|
|
## Allow login with password?
|
|
#
|
|
### Allow optional cryptho methods (NOT RECOMENDED)
|
|
#generate_ecdsa_too: false
|
|
#use_diffie_hellman_group_exchange_sha256: false
|
|
#u#se_aes256_ctr: false
|
|
#u#se_hmac_sha2_512: false
|
|
###
|
|
#do_not_delete_legacy_ssh_keys: true
|
|
|
|
# perform simple version check for this role? (true is recomended)
|
|
submodules_versioncheck: false
|