ssh_server
Ansible Role SSH server
Description
:grey_exclamation: Before using this role, please know that all my Ansible roles are fully written and accustomed to my IT infrastructure. So, even if they are as generic as possible they will not necessarily fill your needs, I advice you to carrefully analyse what they do and evaluate their capability to be installed securely on your servers.
This roles allow configuration of ssh server.
Requirements
Require Ansible >= 2.4
Dependencies
OS Family
This role is available for Debian and CentOS
Features
At this day the role can be used to :
- install sshd
- configure sshd
- filter the initial moduli to remove weak prime numbers
- local facts
Role Variables
All variables which can be overridden are stored in defaults/main.yml file as well as in table below. To see default values please refer to this file.
Most of the variables refers to the pure sshd config parameter. Please fetch informations from the man page.
| Name | Types/Values | Description |
|---|---|---|
ssh_server__facts |
Boolean | Install the local fact script |
ssh_server__moduli_minimum |
Integer | The minimum size of primes to keep in moduli file |
ssh_server__service_enabled |
Boolean | Enable or not the service |
ssh_server__protocol |
String | See manpage |
ssh_server__privilege_separation |
String | See manpage |
ssh_server__pidfile |
String | See manpage |
ssh_server__log_facility |
String | See manpage |
ssh_server__log_level |
String | See manpage |
ssh_server__ports |
List of integer | See manpage |
ssh_server__listen |
List of ip | See manpage |
ssh_server__address_family |
String | See manpage |
ssh_server__use_dns |
Boolean | See manpage |
ssh_server__tcp_keepalive |
Boolean | See manpage |
ssh_server__allow_agent_forwarding |
Boolean | See manpage |
ssh_server__allow_tcp_forwarding |
Boolean | See manpage |
ssh_server__permit_open |
String | See manpage |
ssh_server__gateway_ports |
String | See manpage |
ssh_server__allow_stream_local_forwarding |
Boolean | See manpage |
ssh_server__permit_tunnel |
Boolean | See manpage |
ssh_server__compression |
String | See manpage |
ssh_server__ip_qos |
Tuple | See manpage |
ssh_server__kex_algorithms |
List of string | See manpage |
ssh_server__kex_algorithms_additional |
List of string | See manpage |
ssh_server__ciphers |
List of string | See manpage |
ssh_server__ciphers_additional |
List of string | See manpage |
ssh_server__macs |
List of string | See manpage |
ssh_server__macs_additional |
List of string | See manpage |
ssh_server__server_key_bits |
Integer | See manpage |
ssh_server__key_regeneration_interval |
Integer | See manpage |
ssh_server__authentication_methods |
String | See manpage |
ssh_server__use_pam |
Boolean | See manpage |
ssh_server__use_login |
Boolean | See manpage |
ssh_server__password_authentication |
Boolean | See manpage |
ssh_server__permit_empty_passwords |
Boolean | See manpage |
ssh_server__challenge_response_authentication |
Boolean | See manpage |
ssh_server__keyboard_interactive_authentication |
Boolean | See manpage |
ssh_server__pubkey_authentication |
Boolean | See manpage |
ssh_server__authorized_keys |
List of string | See manpage AuthorizedKeysFile |
ssh_server__authorized_keys_system |
List of string | Contains the path to the global system authorized keys file |
ssh_server__authorized_keys_user |
String | Contains the path to the per user authorized keys file |
ssh_server__authorized_keys_command |
String | See manpage |
ssh_server__authorized_keys_command_user |
List of string | See manpage |
ssh_server__permit_blacklisted_keys |
See manpage | |
ssh_server__rsa_authentication |
Boolean | See manpage |
ssh_server__rhosts_rsa_authentication |
Boolean | See manpage |
ssh_server__host_based_authentication |
Boolean | See manpage |
ssh_server__host_based_uses_name_from_packet_only |
Boolean | See manpage |
ssh_server__ignore_user_known_hosts |
Boolean | See manpage |
ssh_server__ignore_rhosts |
Boolean | See manpage |
ssh_server__kerberos_authentication |
Boolean | See manpage |
ssh_server__kerberos_get_afs_token |
Boolean | See manpage |
ssh_server__kerberos_or_local_passwd |
Boolean | See manpage |
ssh_server__kerberos_ticket_cleanup |
Boolean | See manpage |
ssh_server__kerberos_use_kuserok |
Boolean | See manpage |
ssh_server__gssapi_authentication |
Boolean | See manpage |
ssh_server__gssapi_key_exchange |
Boolean | See manpage |
ssh_server__gssapi_cleanup_credentials |
Boolean | See manpage |
ssh_server__gssapi_strict_acceptor_check |
Boolean | See manpage |
ssh_server__gssapi_store_credentials_on_rekey |
Boolean | See manpage |
ssh_server__gssapi_enable_k5_users |
Boolean | See manpage |
ssh_server__deny_users |
List of string | See manpage |
ssh_server__allow_users |
List of string | See manpage |
ssh_server__deny_groups |
List of string | See manpage |
ssh_server__allow_groups |
List of string | See manpage |
ssh_server__permit_root_login |
String | See manpage |
ssh_server__login_grace_time |
String | See manpage |
ssh_server__max_auth_tries |
Integer | See manpage |
ssh_server__max_sessions |
Integer | See manpage |
ssh_server__max_startups |
Specific dict | This dict must have the keys 'start', 'rate', 'full' (See manpage) |
ssh_server__accept_env |
List of string | See manpage |
ssh_server__permit_user_environment |
Boolean | See manpage |
ssh_server__permit_user_rc |
Boolean | See manpage |
ssh_server__permit_tty |
Boolean | See manpage |
ssh_server__strict_modes |
Boolean | See manpage |
ssh_server__version_addendum |
String | See manpage |
ssh_server__banner |
String | See manpage |
ssh_server__debian_banner |
Boolean | See manpage |
ssh_server__print_motd |
Boolean | See manpage |
ssh_server__print_last_log |
Boolean | See manpage |
ssh_server__force_command |
String | See manpage |
ssh_server__chroot_directory |
String | See manpage |
ssh_server__client_alive_interval |
Integer | See manpage |
ssh_server__client_alive_count_max |
Integer | See manpage |
ssh_server__x11_forwarding |
Boolean | See manpage |
ssh_server__x11_display_offset |
Integer | See manpage |
ssh_server__x11_use_localhost |
Boolean | See manpage |
ssh_server__subsystems_global/group/host |
Dict | Mapping of subsystem name and subsystem command |
ssh_server__match_list_global/group/host |
List of match bloc | Configure match blocs (see below) |
Matchs
You can configure the available match using the ssh_server__match_list_global/group/host variables availables.
Theses variable takes list of dict. Each dict must have the following form :
ssh_server__match_list_global
- match: "match criterias"
options: # options that apply if "match" matches
- AllowUsers test # a simple string option
# a dict with version conditioned options
# according to the current sshd version, the higher version condition win and it's options are applied
- 8.2: AuthorizedKeysCommand /bin/true # (string version)
7.6: # (list version)
- AuthenticationMethods publickey
- AllowUsers root
state: absent # optional state (default to present)
The available match criterias and options that you can apply depends on your current sshd version.
An example of group only allowed to run sftp is given, if you want to enable it you can use this bloc in inventory :
ssh_server__match_list_global:
- '{{ ssh_server__match_group_sftponly }}'
Facts
By default the local fact are installed and expose the following variables :
ansible_local.ssh_server:
version_full: '7.9p1'
version_major: '7'
Example
Playbook
Use it in a playbook as follows:
- hosts: all
roles:
- turgon37.ssh_server
Inventory
To use this role create or update your playbook according the following example :
ssh_server__allow_agent_forwarding: false
ssh_server__allow_tcp_forwarding: false
ssh_server__allow_stream_local_forwarding: false
ssh_server__permit_tunnel: false
ssh_server__compression: true
ssh_server__allow_groups:
- ssh
- ssh-admins
ssh_server__permit_root_login: false
ssh_server__max_startups:
start: 5
rate: 80
full: 10
ssh_server__match_list_global:
- match: "LocalAddress 127.0.0.1"
options:
- AuthenticationMethods publickey,password
state: present
- match: "LocalAddress 10.0.0.1 Group ssh-admins"
options:
- AuthenticationMethods publickey password gssapi-with-mic
- match: "LocalAddress 10.0.0.1 User root"
options:
- DenyUsers
- AllowUsers root
- DenyGroups
- AllowGroups root
- 7.0: 'PermitRootLogin prohibit-password'
4.9: 'PermitRootLogin without-password'
- AuthenticationMethods publickey
- AuthorizedKeysFile /root/.ssh/authorized_keys
- AuthorizedKeysCommand /bin/true
ssh_client__known_hosts_additionals:
- '[gitlab]:7999 ssh-rsa XXXXX'
Example of FreeIPA configuration
ssh_server__authorized_keys: '/dev/null'
ssh_server__authorized_keys_lookup: true
ssh_server__authorized_keys_lookup_command: /usr/bin/sss_ssh_authorizedkeys
ssh_server__pubkey_authentication: true
ssh_server__gssapi_authentication: true
Install
ansible-galaxy install Turgon37/ansible-ssh-serverLicense
mit
Downloads
1313
Owner
Ingénieur, Informaticien, curieux de nouvelles technologies. Passionné par le libre et l'esprit de communauté