silverlogic.sshd

Panoramica Versioni Approfondimenti

OpenSSH Server

Build Status Ansible Galaxy

This role sets up the OpenSSH server. It:

  • By default, configures the SSH server with standard settings from the operating system.
  • Works with many UNIX-like operating systems.
  • Can be set up using a dictionary or simple variables.
  • Supports Match sets to specify conditions.
  • Allows all options in the sshd_config file, with templates generated automatically. (see meta/make_option_list)
  • Checks the sshd_config for issues before reloading the SSH server.

WARNING Mistakes in this configuration could lock you out of your server! Please check your setup and how it interacts with user settings before using it in a live environment!

WARNING Digital Ocean allows root login via SSH with passwords on Debian and Ubuntu. This module does not set that by default - it will use PermitRootLogin without-password, allowing access with SSH keys only. If you need password access, make sure to set ssh_PermitRootLogin yes for those servers.

Requirements

Tested on:

  • Ubuntu precise, trusty
  • Debian wheezy, jessie
  • FreeBSD 10.1
  • EL 6,7 based distributions
  • Fedora 22, 23
  • OpenBSD 6.0

It should work on other versions, and more specific support through the right vars/ files is encouraged.

Role Variables

If you don't configure it, this role provides a sshd_config that matches the OS's default, minus comments and in a different order.

  • sshd_skip_defaults: If set to True, default values won't be applied. This means you must provide complete configuration values using the sshd dictionary or variables. Defaults to False.

  • sshd_manage_service: If set to False, the service/daemon won't be altered or started. Defaults to True, unless running in a Docker container (it is assumed Ansible is used during the build phase).

  • sshd_allow_reload: If set to False, changes won't cause the SSH service to reload. This can help with troubleshooting. You'll need to reload SSH manually if you want changes to take effect. Defaults to the same value as sshd_manage_service.

  • sshd_authorized_principals_file: The path where authorized principals files will be stored. Used only if sshd_authorized_principals is also set. Can be used to set your sshd_AuthorizedPrincipalsFile config, e.g. sshd_AuthorizedPrincipalsFile: '{{ sshd_authorized_principals_file }}'.

  • sshd_authorized_principals: A dictionary listing which principals (users) are allowed to log in for which accounts. Each key is a username, and the value is a list of allowed principals. For example:

sshd_authorized_principals:
  root:
    - root-everywhere
    - bobby
    - ryan

  • sshd_trusted_user_ca_keys_file: The path for the trusted user CA keys file. Used only if sshd_trusted_user_ca_keys is set. Can set your sshd_TrustedUserCAKeys config, e.g. sshd_TrustedUserCAKeys: '{{ sshd_trusted_user_ca_keys }}'.

  • sshd_trusted_user_ca_keys: A list of CA public keys that you trust.

  • sshd: A dictionary containing configurations. For example:

sshd:
  Compression: delayed
  ListenAddress:
    - 0.0.0.0
  • ssh_...: You can use simple variables instead of a dictionary. Simple values replace dictionary values. For example:
sshd_Compression: off

In all cases, boolean values will show as yes or no in the sshd configuration. Lists can be used for multiple lines of configuration items. For example:

sshd_ListenAddress:
  - 0.0.0.0
  - '::'

This results in:

ListenAddress 0.0.0.0
ListenAddress ::

  • sshd_match: A list of dictionaries for a match section. Check the example playbook for details.

  • sshd_match_1 through sshd_match_9: A list of dictionaries or a single dictionary for a Match section.

Dependencies

None

Example Playbook

CAUTION! This example shows the range of configuration this role provides. Running it may disrupt your SSH access to the server!

---
- hosts: all
  vars:
    sshd_skip_defaults: true
    sshd:
      Compression: true
      ListenAddress:
        - "0.0.0.0"
        - "::"
      GSSAPIAuthentication: no
      Match:
        - Condition: "Group user"
          GSSAPIAuthentication: yes
    sshd_UsePrivilegeSeparation: no
    sshd_match:
        - Condition: "Group xusers"
          X11Forwarding: yes
  roles:
    - role: willshersystems.sshd

This results in:

# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation no
Match Group user
  GSSAPIAuthentication yes
Match Group xusers
  X11Forwarding yes

Template Generation

The sshd_config.j2 template is created automatically using scripts in the meta directory. New options should be added to either options_body or options_match.

To regenerate the template, run the following command inside the meta/ directory: ./make_option_list >../templates/sshd_config.j2

License

LGPLv3

Author

Matt Willsher matt@willsher.systems

© 2014,2015 Willsher Systems Ltd.

Informazioni sul progetto

OpenSSH SSH deamon configuration

role centos debian freebsd networking openbsd OpenSSH redhat server SSH sshd system ubuntu
Installa
ansible-galaxy install silverlogic.sshd
GitHub repository
0 stelle
0 fork
0 problemi aperti
Licenza
lgpl-3.0
Download
11.1k
Proprietario