rchouinard.secure_sshd
Secure SSHd Ansible Role
This role sets up a secure shell server using guidelines from Mozilla's Infrasec.
By default, this configuration allows password authentication. If you want to use only key-based authentication, please change the sshd_authmethods setting.
Requirements
- Ansible version 2.4 or later.
Role Variables
sshd_hostkeys:
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
sshd_kexalgorithms:
- [email protected]
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
sshd_ciphers:
- [email protected]
- [email protected]
- [email protected]
- aes256-ctr
- aes192-ctr
- aes128-ctr
sshd_macs:
- [email protected]
- [email protected]
- [email protected]
- hmac-sha2-512
- hmac-sha2-256
- [email protected]
sshd_authmethods:
- publickey
- password
sshd_loglevel: VERBOSE
sshd_subsystems:
- "sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO"
sshd_permitrootlogin: "no"
sshd_extra: |
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Dependencies
None.
Example Playbook
- hosts: localhost
roles:
- rchouinard.secure_sshd
License
This is under the MIT License. Check the License File for details.
Installa
ansible-galaxy install rchouinard.secure_sshdLicenza
mit
Download
2k
Proprietario
DevOps Engineer at Paymentus