Ansible Role: sshd

Description

This role sets up secure configurations for SSH clients and servers. It follows the DevSec SSH Baseline guidelines. This role is based on the original arillso.sshd.

Installation

To install the role, run the following commands:

ansible-galaxy collection install community.crypto
ansible-galaxy install skriptfabrik.sshd

Requirements

No additional requirements.

Role Variables

ssh_ipv6_enable

Set to true if IPv6 is needed.

ssh_ipv6_enable: '{{ network_ipv6_enable | default(false) }}' # sshd + ssh

ssh_server_enabled

Set to true if the SSH server (sshd) should start and be enabled.

ssh_server_enabled: true # sshd

ssh_use_dns

Set to true if DNS resolution is needed for remote host names; defaults to false since version 6.8.

ssh_use_dns: false # sshd

ssh_compression

Set to true if SSH compression is needed.

ssh_compression: false # sshd

ssh_hardening

Set to enable security settings for either the client or server components.

ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd

ssh_client_password_login

Set to true to allow password login for clients.

ssh_client_password_login: false # ssh
ssh_server_password_login: false # sshd

ssh_server_ports

Specify the ports on which the SSH server will listen.

ssh_server_ports: ['22'] # sshd

ssh_client_port

Specify the port for the SSH client connection.

ssh_client_port: '22' # ssh

ssh_listen_to

Specify one or more IP addresses for the SSH server to listen on. Default is empty, but should be set for security.

ssh_listen_to: ['0.0.0.0'] # sshd

ssh_host_key_files

List host key files that the SSH server should look for on startup.

ssh_host_key_files: [] # sshd

ssh_force_create_host_key_files

Set to true to force the creation of host key files.

ssh_force_create_host_key_files: false # sshd

ssh_max_auth_retries

Maximum number of authentication attempts allowed for each connection.

ssh_max_auth_retries: 2

ssh_client_alive_interval

Time in seconds for the client to check if the connection is still alive.

ssh_client_alive_interval: 300 # sshd

ssh_client_alive_count

Number of alive messages before disconnecting.

ssh_client_alive_count: 3 # sshd

ssh_permit_tunnel

Set to true to allow SSH Tunnels.

ssh_permit_tunnel: false

ssh_remote_hosts

Specify custom options for remote hosts.

ssh_remote_hosts: []

Example

ssh_remote_hosts:
  - names: ['example.com', 'example2.com']
    options: ['Port 2222', 'ForwardAgent yes']
  - names: ['example3.com']
    options: ['StrictHostKeyChecking no']

ssh_allow_root_with_key

Set to "without-password" or "yes" to allow root login.

ssh_allow_root_with_key: 'no' # sshd

ssh_allow_tcp_forwarding

Set to false to disable TCP Forwarding.

ssh_allow_tcp_forwarding: false # sshd

ssh_gateway_ports

Set to false to disable binding forwarded ports to non-loopback addresses.

ssh_gateway_ports: false # sshd

ssh_allow_agent_forwarding

Set to false to disable Agent Forwarding.

ssh_allow_agent_forwarding: false # sshd

ssh_pam_support

Set to true if SSH supports PAM (Pluggable Authentication Module).

ssh_pam_support: true

ssh_use_pam

Set to false to disable PAM authentication.

ssh_use_pam: false # sshd

ssh_google_auth

Set to false to disable Google 2FA authentication.

ssh_google_auth: false # sshd

ssh_pam_device

Set to false to disable PAM device 2FA input.

ssh_pam_device: false # sshd

ssh_gssapi_support

Set to true if SSH supports GSSAPI.

ssh_gssapi_support: false

ssh_kerberos_support

Set to true if SSH supports Kerberos.

ssh_kerberos_support: true

ssh_deny_users

If specified, lists usernames that are not allowed to log in.

ssh_deny_users: '' # sshd

ssh_allow_users

If specified, lists usernames that are permitted to log in.

ssh_allow_users: '' # sshd

ssh_deny_groups

If specified, prohibits login for users in the listed groups.

ssh_deny_groups: '' # sshd

ssh_allow_groups

If specified, it allows login only for users in the listed groups.

ssh_allow_groups: '' # sshd

ssh_authorized_keys_file

Change the default file name containing public keys for user authentication.

ssh_authorized_keys_file: '' # sshd

ssh_trusted_user_ca_keys_file

File that contains public keys from trusted certificate authorities for signing user certificates.

ssh_trusted_user_ca_keys_file: '' # sshd

ssh_trusted_user_ca_keys

Set the trusted certificate authorities' public keys used for signing user certificates.

ssh_trusted_user_ca_keys: [] # sshd

Example

ssh_trusted_user_ca_keys:
  - 'ssh-rsa ... comment1'
  - 'ssh-rsa ... comment2'

ssh_authorized_principals_file

File that lists authorized principals. Used only if ssh_trusted_user_ca_keys_file is set.

ssh_authorized_principals_file: '' # sshd

Example

ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'

ssh_authorized_principals

List of file paths and authorized principals. This is used only if ssh_authorized_principals_file is set.

ssh_authorized_principals: [] # sshd

Example

ssh_authorized_principals:
  - {
      path: '/etc/ssh/auth_principals/root',
      principals: ['root'],
      owner: '{{ ssh_owner }}',
      group: '{{ ssh_group }}',
      directoryowner: '{{ ssh_owner }}',
      directorygroup: '{{ ssh_group}}',
    }
  - {
      path: '/etc/ssh/auth_principals/myuser',
      principals: ['masteradmin', 'webserver'],
    }

ssh_print_motd

Set to false to disable the printing of the Message of the Day (MOTD).

ssh_print_motd: false # sshd

ssh_print_last_log

Set to false to disable displaying last login information.

ssh_print_last_log: false # sshd

ssh_banner

Set to false to disable serving the /etc/ssh/banner.txt file before authentication.

ssh_banner: false # sshd

ssh_print_debian_banner

Set to false to disable version information disclosure during the SSH handshake (Debian systems only).

ssh_print_debian_banner: false # sshd

ssh_sftp_enabled

Set to true to enable SFTP configurations.

ssh_sftp_enabled: '{{ sftp_enabled | default(false) }}'

ssh_sftp_chroot

Set to false to disable the SFTP chroot feature.

ssh_sftp_chroot: '{{ sftp_chroot | default(true) }}'

ssh_sftp_chroot_dir

Change the default SFTP chroot directory.

ssh_sftp_chroot_dir: "{{ sftp_chroot_dir | default('/home/%u') }}"

ssh_client_roaming

Enable experimental client roaming (not widely used).

ssh_client_roaming: false

ssh_server_match_user

List of users and their associated rules to generate user match blocks.

ssh_server_match_user: false # sshd

ssh_server_match_group

List of groups and their rules to generate group match blocks.

ssh_server_match_group: false # sshd

ssh_server_match_address

List of IP addresses/subnet rules for generating address match blocks.

ssh_server_match_address: false # sshd

ssh_server_permit_environment_vars

Set to true if environment variables are permitted.

ssh_server_permit_environment_vars: false

ssh_max_startups

Maximum number of unauthenticated connections allowed at the same time to the SSH daemon.

ssh_max_startups: '10:30:100' # sshd

ssh_challengeresponseauthentication

Set to false to disable ChallengeResponseAuthentication.

ssh_challengeresponseauthentication: false

ssh_server_revoked_keys

List of public keys that the SSH server will reject.

ssh_server_revoked_keys: []

ssh_hardening_enabled

Set to false if you want to turn off security features offered by the role.

ssh_hardening_enabled: true

ssh_custom_options

Custom options for the SSH client.

ssh_custom_options: []

sshd_custom_options

Custom options for the SSH daemon.

sshd_custom_options: []

Dependencies

None

Example Playbook

Here’s an example of how to use this role in a playbook:

- hosts: all
  roles:
    - skriptfabrik.sshd

Author

• Simon Bärlocher
• Frank Giesecke

License

This project is licensed under the MIT License.

Copyright

(c) 2022, skriptfabrik GmbH