ansible-sshd/README.md

[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-willshersystems.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/list#/roles/2488)

OpenSSH Server
==============

This role configures the OpenSSH daemon. It:

* By default configures the SSH daemon with the normal OS defaults.
* Works across a variety of UN*X like distributions
* Can be configured by dict or simple variables
* Supports Match sets
* Supports all sshd_config options. Templates are programmatically generated.
  (see [meta/make_option_list](meta/make_option_list))
* Tests the sshd_config before reloading sshd.

**WARNING** Misconfiguration of this role can lock you out of your server!
Please test your configuration and its interaction with your users configuration
before using in production!

**WARNING** Digital Ocean allows root with passwords via SSH on Debian and
Ubuntu. This is not the default assigned by this module - it will set
`PermitRootLogin without-password` which will allow access via SSH key but not
via simple password. If you need this functionality, be sure to set
`ssh_PermitRootLogin yes` for those hosts.

Requirements
------------

Tested on:

* Ubuntu precise, trusty
* Debian wheezy, jessie
* FreeBSD 10.1
* EL 6,7 derived distributions
* Fedora 20, 22

It will likely work on other flavours and more direct support via suitable
[vars/](vars/) files is welcome.

Role variables
---------------

Unconfigured, this role will provide a sshd_config that matches the OS default,
minus the comments and in a different order.

* sshd_skip_defaults

If set to True, don't apply default values. This means that you must have a
complete set of configuration defaults via either the sshd dict, or sshd_Key
variables. Defaults to *False*.

* sshd_manage_service

If set to False, the service/daemon won't be touched at all, i.e. will not try
to enable on boot or start or reload the service.  Defaults to *True* unless
running inside a docker container (it is assumed ansible is used during build
phase).

* sshd_allow_reload

If set to False, a reload of sshd wont happen on change. This can help with
troubleshooting. You'll need to manually reload sshd if you want to apply the
changed configuration. Defaults to the same value as ``sshd_manage_service``.

* sshd

A dict containing configuration.  e.g.

```yaml
sshd:
  Compression: delayed
  ListenAddress:
    - 0.0.0.0
```

* ssh_...

Simple variables can be used rather than a dict. Simple values override dict
values. e.g.:

```yaml
sshd_Compression: off
```

In all cases, booleans correctly rendered as yes and no in sshd configuration.
Lists can be used for multiline configuration items. e.g.

```yaml
sshd_ListenAddress:
  - 0.0.0.0
  - '::'
```

Renders as:

```
ListenAddress 0.0.0.0
ListenAddress ::
```

* sshd_match

A list of dicts for a match section. See the example playbook.

* sshd_match_1 through sshd_match_9

A list of dicts or just a dict for a Match section.

Dependencies
------------

None

Example Playbook
----------------
 
```yaml
---
- hosts: all
  vars:
    sshd_skip_defaults: true
    sshd:
      Compression: true
      ListenAddress:
        - "0.0.0.0"
        - "::"
      GSSAPIAuthentication: no
      Match:
        - Condition: "Group user"
          GSSAPIAuthentication: yes
    sshd_UsePrivilegeSeparation: sandbox
    sshd_match:
        - Condition: "Group xusers"
          X11Forwarding: yes
  roles:
    - role: willshersystems.sshd
```

Results in:

```
# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
Match Group user
  GSSAPIAuthentication yes
Match Group xusers
  X11Forwarding yes
```

Template Generation
-------------------

The [sshd_config.j2](templates/sshd_config.j2) template is programatically
generated by the scripts in meta. New options should be added to the
options_body or options_match. 

To regenerate the template, from within the meta/ directory run:
`./make_option_list >../templates/sshd_config.j2`

License
-------

LGPLv3


Author
------

Matt Willsher <matt@willsher.systems>

&copy; 2014,2015 Willsher Systems
downcase travis link 2015-01-14 09:45:57 +01:00			`[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-willshersystems.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/list#/roles/2488)`
Add badges 2015-01-12 22:57:10 +01:00
Standardise README 2015-01-12 22:40:04 +01:00			`OpenSSH Server`
			`==============`
Initial commit 2014-12-18 23:12:51 +01:00
More distro supported, better docs 2014-12-22 21:18:35 +01:00			`This role configures the OpenSSH daemon. It:`
Initial commit 2014-12-18 23:12:51 +01:00
Standardise README 2015-01-12 22:40:04 +01:00			`* By default configures the SSH daemon with the normal OS defaults.`
			`* Works across a variety of UN*X like distributions`
			`* Can be configured by dict or simple variables`
			`* Supports Match sets`
			`* Supports all sshd_config options. Templates are programmatically generated.`
			`(see [meta/make_option_list](meta/make_option_list))`
			`* Tests the sshd_config before reloading sshd.`

Add warnings 2015-01-13 14:29:53 +01:00			`WARNING Misconfiguration of this role can lock you out of your server!`
			`Please test your configuration and its interaction with your users configuration`
			`before using in production!`

			`WARNING Digital Ocean allows root with passwords via SSH on Debian and`
			`Ubuntu. This is not the default assigned by this module - it will set`
			`PermitRootLogin without-password` which will allow access via SSH key but not
			`via simple password. If you need this functionality, be sure to set`
			`ssh_PermitRootLogin yes` for those hosts.

Standardise README 2015-01-12 22:40:04 +01:00			`Requirements`
			`------------`

			`Tested on:`

			`* Ubuntu precise, trusty`
			`* Debian wheezy, jessie`
			`* FreeBSD 10.1`
			`* EL 6,7 derived distributions`
Add Fedora support Based on RedHat 7 with few modifications (ed25519 hostkey for F22, GSSAPICleanupCredentials defaults to no, s/LC_TYPE/LC_CTYPE/ in AcceptEnv). Tested on Fedora 20 & 22. 2015-06-26 11:23:42 +02:00			`* Fedora 20, 22`
Standardise README 2015-01-12 22:40:04 +01:00
			`It will likely work on other flavours and more direct support via suitable`
			`[vars/](vars/) files is welcome.`

			`Role variables`
			`---------------`

Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`Unconfigured, this role will provide a sshd_config that matches the OS default,`
Standardise README 2015-01-12 22:40:04 +01:00			`minus the comments and in a different order.`

Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`* sshd_skip_defaults`
Standardise README 2015-01-12 22:40:04 +01:00
Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`If set to True, don't apply default values. This means that you must have a`
			`complete set of configuration defaults via either the sshd dict, or sshd_Key`
			`variables. Defaults to False.`

Add sshd_manage_service option Allows disabling management of SSHd service completely, which is handy when used in a container (where ansible is usually used during build phase). 2015-06-25 15:54:24 +02:00			`* sshd_manage_service`

			`If set to False, the service/daemon won't be touched at all, i.e. will not try`
			`to enable on boot or start or reload the service. Defaults to True unless`
			`running inside a docker container (it is assumed ansible is used during build`
			`phase).`

Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`* sshd_allow_reload`

downcase travis link 2015-01-14 09:45:57 +01:00			`If set to False, a reload of sshd wont happen on change. This can help with`
Clarify reload 2015-01-13 18:44:00 +01:00			`troubleshooting. You'll need to manually reload sshd if you want to apply the`
Add sshd_manage_service option Allows disabling management of SSHd service completely, which is handy when used in a container (where ansible is usually used during build phase). 2015-06-25 15:54:24 +02:00			changed configuration. Defaults to the same value as ``sshd_manage_service``.
Allow reload to be skipped 2015-01-13 18:42:10 +01:00
			`* sshd`

			`A dict containing configuration. e.g.`
More distro supported, better docs 2014-12-22 21:18:35 +01:00
			```yaml
Update with dict option 2014-12-21 21:39:44 +01:00			`sshd:`
			`Compression: delayed`
			`ListenAddress:`
			`- 0.0.0.0`
			```
Initial commit 2014-12-18 23:12:51 +01:00
Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`* ssh_...`

			`Simple variables can be used rather than a dict. Simple values override dict`
			`values. e.g.:`
More distro supported, better docs 2014-12-22 21:18:35 +01:00
			```yaml
			`sshd_Compression: off`
			```

Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`In all cases, booleans correctly rendered as yes and no in sshd configuration.`
			`Lists can be used for multiline configuration items. e.g.`
Improve examples 2014-12-25 13:13:34 +01:00
			```yaml
			`sshd_ListenAddress:`
			`- 0.0.0.0`
Standardise README 2015-01-12 22:40:04 +01:00			`- '::'`
Improve examples 2014-12-25 13:13:34 +01:00			```

Allow reload to be skipped 2015-01-13 18:42:10 +01:00			`Renders as:`

			```
			`ListenAddress 0.0.0.0`
			`ListenAddress ::`
			```

			`* sshd_match`

			`A list of dicts for a match section. See the example playbook.`

			`* sshd_match_1 through sshd_match_9`

			`A list of dicts or just a dict for a Match section.`
Improve examples 2014-12-25 13:13:34 +01:00
Add dependencies 2015-01-14 13:53:16 +01:00			`Dependencies`
			`------------`

Remove apt dependency from documentation 2015-06-29 14:36:39 +02:00			`None`
Add dependencies 2015-01-14 13:53:16 +01:00
Standardise README 2015-01-12 22:40:04 +01:00			`Example Playbook`
			`----------------`
Allow reload to be skipped 2015-01-13 18:42:10 +01:00
Improve examples 2014-12-25 13:13:34 +01:00			```yaml
			`---`
Standardise README 2015-01-12 22:40:04 +01:00			`- hosts: all`
			`vars:`
			`sshd_skip_defaults: true`
			`sshd:`
			`Compression: true`
			`ListenAddress:`
			`- "0.0.0.0"`
			`- "::"`
			`GSSAPIAuthentication: no`
			`Match:`
			`- Condition: "Group user"`
			`GSSAPIAuthentication: yes`
			`sshd_UsePrivilegeSeparation: sandbox`
			`sshd_match:`
			`- Condition: "Group xusers"`
			`X11Forwarding: yes`
			`roles:`
			`- role: willshersystems.sshd`
Improve examples 2014-12-25 13:13:34 +01:00			```

			`Results in:`

downcase travis link 2015-01-14 09:45:57 +01:00			```
Improve examples 2014-12-25 13:13:34 +01:00			`# Ansible managed: ...`
			`Compression yes`
			`GSSAPIAuthentication no`
			`UsePrivilegeSeparation sandbox`
			`Match Group user`
			`GSSAPIAuthentication yes`
			`Match Group xusers`
			`X11Forwarding yes`
			```
Use LGPL license 2014-12-26 11:09:34 +01:00
Add note about the scripts and files in meta/ 2015-06-28 11:29:16 +02:00			`Template Generation`
			`-------------------`

			`The [sshd_config.j2](templates/sshd_config.j2) template is programatically`
			`generated by the scripts in meta. New options should be added to the`
			`options_body or options_match.`

			`To regenerate the template, from within the meta/ directory run:`
			`./make_option_list >../templates/sshd_config.j2`

Standardise README 2015-01-12 22:40:04 +01:00			`License`
			`-------`

			`LGPLv3`


			`Author`
			`------`

			`Matt Willsher <matt@willsher.systems>`
Use LGPL license 2014-12-26 11:09:34 +01:00
Add © symbol 2015-01-14 13:54:14 +01:00			`© 2014,2015 Willsher Systems`