ansible-sshd/defaults/main.yml

---
### USER OPTIONS
# Set to false to disable this role completely
sshd_enable: true

# Don't apply OS defaults when set to true
sshd_skip_defaults: false

# If the below is false, don't manage the service or reload the SSH
# daemon at all
sshd_manage_service: true

# If the below is false, don't reload the ssh daemon on change
sshd_allow_reload: true

# If the below is true, also install service files from the templates pointed
# to by the `sshd_service_template_*` variables
sshd_install_service: false
sshd_service_template_service: sshd.service.j2
sshd_service_template_at_service: sshd@.service.j2
sshd_service_template_socket: sshd.socket.j2

# If the below is true, create a backup of the config file when the template is copied
sshd_backup: true

# If the below is true, also install the sysconfig file with the below options
# (useful only on Fedora and RHEL)
sshd_sysconfig: false

# If the below is true the role will override also crypto policy configuration
sshd_sysconfig_override_crypto_policy: false

# If the below is set to non-zero value, the OpenSSL random generator is
# reseeded with the given amount of random bytes (from getrandom(2)
# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled.
# This is not recommended to enable if you do not have hardware random number
# generator
sshd_sysconfig_use_strong_rng: 0

# Empty dicts to avoid errors
sshd: {}

# The path to sshd_config file. This is useful when creating an included
# configuration file snippet or configuring second sshd service
sshd_config_file: "{{ __sshd_config_file }}"

# If not empty, list of trusted CA keys
sshd_trusted_user_ca_keys_list: []

# If not empty, dict containing principals for users in the os
sshd_principals: {}

### VARS DEFAULTS
### The following are defaults for OS specific configuration in var files in
### this role. They should not be set directly by role users, unless they know
### what they are doing, e.g. installing extra packages or installing an
### alternative SystemD service file
sshd_packages: "{{ __sshd_packages }}"
sshd_config_owner: "{{ __sshd_config_owner }}"
sshd_config_group: "{{ __sshd_config_group }}"
sshd_config_mode: "{{ __sshd_config_mode }}"
sshd_binary: "{{ __sshd_binary }}"
sshd_service: "{{ __sshd_service }}"
sshd_sftp_server: "{{ __sshd_sftp_server }}"

sshd_drop_in_dir_mode: "{{ __sshd_drop_in_dir_mode }}"
sshd_main_config_file: "{{ __sshd_main_config_file }}"

sshd_trustedusercakeys_directory_owner: "{{ __sshd_trustedusercakeys_directory_owner }}"
sshd_trustedusercakeys_directory_group: "{{ __sshd_trustedusercakeys_directory_group }}"
sshd_trustedusercakeys_directory_mode: "{{ __sshd_trustedusercakeys_directory_mode }}"
sshd_trustedusercakeys_file_owner: "{{ __sshd_trustedusercakeys_file_owner }}"
sshd_trustedusercakeys_file_group: "{{ __sshd_trustedusercakeys_file_group }}"
sshd_trustedusercakeys_file_mode: "{{ __sshd_trustedusercakeys_file_mode }}"

sshd_authorizedprincipals_directory_owner: "{{ __sshd_authorizedprincipals_directory_owner }}"
sshd_authorizedprincipals_directory_group: "{{ __sshd_authorizedprincipals_directory_group }}"
sshd_authorizedprincipals_directory_mode: "{{ __sshd_authorizedprincipals_directory_mode }}"
sshd_authorizedprincipals_file_owner: "{{ __sshd_authorizedprincipals_file_owner }}"
sshd_authorizedprincipals_file_group: "{{ __sshd_authorizedprincipals_file_group }}"
sshd_authorizedprincipals_file_mode: "{{ __sshd_authorizedprincipals_file_mode }}"

# This lists by default all hostkeys as rendered in the generated configuration
# file ("auto"). Before attempting to run sshd (either for verification of
# configuration or restarting), we make sure the keys exist and have correct
# permissions. To disable this check, set sshd_verify_hostkeys to false
sshd_verify_hostkeys: "auto"

sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"

# instead of replacing the whole configuration file, just add a specified
# snippet
sshd_config_namespace: null

# If this option is enabled, the role will configure firewall to open the ports
# defined in the configuration. This works only on Red Hat based systems.
sshd_manage_firewall: false

# If this option is enabled, the role will configure selinux to allow sshd to
# bind the ports defined in the configuration. This works only on Red Hat based systems.
sshd_manage_selinux: false
Initial commit 2014-12-18 23:12:51 +01:00			`---`
Seperate defaults dict 2014-12-22 10:25:31 +01:00			`### USER OPTIONS`
avoid the use of True and False for boolean values These are not in yml specification and come from python. Behavior can differ in particular YAML implementation. 2020-09-14 17:07:44 +02:00			`# Set to false to disable this role completely`
			`sshd_enable: true`
Adds on/off toggle 2018-09-08 09:14:39 +02:00
Seperate defaults dict 2014-12-22 10:25:31 +01:00			`# Don't apply OS defaults when set to true`
			`sshd_skip_defaults: false`
Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00
Add sshd_manage_service option Allows disabling management of SSHd service completely, which is handy when used in a container (where ansible is usually used during build phase). 2015-06-25 15:54:24 +02:00			`# If the below is false, don't manage the service or reload the SSH`
			`# daemon at all`
Fix Ansible 2.3 warnings 2017-05-04 15:31:26 +02:00			`sshd_manage_service: true`
Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00
Document missing configuraiton variables & sort as recommended by best practices: > Every argument accepted from outside of the role should be given > a default value in defaults/main.yml. https://github.com/oasis-roles/meta_standards#vars-vs-defaults 2020-11-04 15:56:03 +01:00			`# If the below is false, don't reload the ssh daemon on change`
			`sshd_allow_reload: true`

Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00			`# If the below is true, also install service files from the templates pointed`
			# to by the `sshd_service_template_*` variables
			`sshd_install_service: false`
			`sshd_service_template_service: sshd.service.j2`
			`sshd_service_template_at_service: sshd@.service.j2`
			`sshd_service_template_socket: sshd.socket.j2`

expose sshd_config template backup option with sshd_backup 2018-07-27 16:08:17 +02:00			`# If the below is true, create a backup of the config file when the template is copied`
Backup old configuration by default as recommended by OASIS https://github.com/oasis-roles/meta_standards#generating-files-from-templates 2020-09-14 18:33:13 +02:00			`sshd_backup: true`
Merge branch 'master' into systemd 2018-08-25 23:48:09 +02:00
Add support for sysconfig on Fedora/RHEL This is useful for opting out from system-wide cryto policy for SSH or configuring advanced use case (strong RNG seed). Fixes: #141 2020-10-06 21:11:35 +02:00			`# If the below is true, also install the sysconfig file with the below options`
			`# (useful only on Fedora and RHEL)`
			`sshd_sysconfig: false`

			`# If the below is true the role will override also crypto policy configuration`
			`sshd_sysconfig_override_crypto_policy: false`

			`# If the below is set to non-zero value, the OpenSSL random generator is`
			`# reseeded with the given amount of random bytes (from getrandom(2)`
			`# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled.`
Fix typos 2020-11-06 12:15:50 +01:00			`# This is not recommended to enable if you do not have hardware random number`
			`# generator`
Add support for sysconfig on Fedora/RHEL This is useful for opting out from system-wide cryto policy for SSH or configuring advanced use case (strong RNG seed). Fixes: #141 2020-10-06 21:11:35 +02:00			`sshd_sysconfig_use_strong_rng: 0`

Seperate defaults dict 2014-12-22 10:25:31 +01:00			`# Empty dicts to avoid errors`
			`sshd: {}`

Document missing configuraiton variables & sort as recommended by best practices: > Every argument accepted from outside of the role should be given > a default value in defaults/main.yml. https://github.com/oasis-roles/meta_standards#vars-vs-defaults 2020-11-04 15:56:03 +01:00			`# The path to sshd_config file. This is useful when creating an included`
			`# configuration file snippet or configuring second sshd service`
Move defaults to vars/main.yml 2021-06-02 14:21:40 +02:00			`sshd_config_file: "{{ __sshd_config_file }}"`
Document missing configuraiton variables & sort as recommended by best practices: > Every argument accepted from outside of the role should be given > a default value in defaults/main.yml. https://github.com/oasis-roles/meta_standards#vars-vs-defaults 2020-11-04 15:56:03 +01:00
feat: manage ssh certificates (#252) * Role configured to accept SSH connection via SSH certificates * Works with or without principals and ansible-lint updated * add test for SSH certificates authentication with principals * Add configuration to run tests for SSH certificates authentication with principals * tasks to use SSH certificates grouped into one file * Update README.md 2023-09-11 15:39:03 +02:00			`# If not empty, list of trusted CA keys`
			`sshd_trusted_user_ca_keys_list: []`

			`# If not empty, dict containing principals for users in the os`
			`sshd_principals: {}`

Seperate defaults dict 2014-12-22 10:25:31 +01:00			`### VARS DEFAULTS`
			`### The following are defaults for OS specific configuration in var files in`
Moves internal non-overridable variables out of defaults 2022-08-17 14:05:10 +02:00			`### this role. They should not be set directly by role users, unless they know`
			`### what they are doing, e.g. installing extra packages or installing an`
			`### alternative SystemD service file`
Fixes un-overrideable public api variables 2022-08-17 13:53:56 +02:00			`sshd_packages: "{{ __sshd_packages }}"`
Move defaults to vars/main.yml 2021-06-02 14:21:40 +02:00			`sshd_config_owner: "{{ __sshd_config_owner }}"`
			`sshd_config_group: "{{ __sshd_config_group }}"`
			`sshd_config_mode: "{{ __sshd_config_mode }}"`
Fixes un-overrideable public api variables 2022-08-17 13:53:56 +02:00			`sshd_binary: "{{ __sshd_binary }}"`
			`sshd_service: "{{ __sshd_service }}"`
			`sshd_sftp_server: "{{ __sshd_sftp_server }}"`
Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00
tMakes drop-in functionality configurable by the user 2022-08-17 16:34:35 +02:00			`sshd_drop_in_dir_mode: "{{ __sshd_drop_in_dir_mode }}"`
			`sshd_main_config_file: "{{ __sshd_main_config_file }}"`

feat: manage ssh certificates (#252) * Role configured to accept SSH connection via SSH certificates * Works with or without principals and ansible-lint updated * add test for SSH certificates authentication with principals * Add configuration to run tests for SSH certificates authentication with principals * tasks to use SSH certificates grouped into one file * Update README.md 2023-09-11 15:39:03 +02:00			`sshd_trustedusercakeys_directory_owner: "{{ __sshd_trustedusercakeys_directory_owner }}"`
			`sshd_trustedusercakeys_directory_group: "{{ __sshd_trustedusercakeys_directory_group }}"`
			`sshd_trustedusercakeys_directory_mode: "{{ __sshd_trustedusercakeys_directory_mode }}"`
			`sshd_trustedusercakeys_file_owner: "{{ __sshd_trustedusercakeys_file_owner }}"`
			`sshd_trustedusercakeys_file_group: "{{ __sshd_trustedusercakeys_file_group }}"`
			`sshd_trustedusercakeys_file_mode: "{{ __sshd_trustedusercakeys_file_mode }}"`

			`sshd_authorizedprincipals_directory_owner: "{{ __sshd_authorizedprincipals_directory_owner }}"`
			`sshd_authorizedprincipals_directory_group: "{{ __sshd_authorizedprincipals_directory_group }}"`
			`sshd_authorizedprincipals_directory_mode: "{{ __sshd_authorizedprincipals_directory_mode }}"`
			`sshd_authorizedprincipals_file_owner: "{{ __sshd_authorizedprincipals_file_owner }}"`
			`sshd_authorizedprincipals_file_group: "{{ __sshd_authorizedprincipals_file_group }}"`
			`sshd_authorizedprincipals_file_mode: "{{ __sshd_authorizedprincipals_file_mode }}"`

Implement hostkey checks This is useful during provisioning, when the keys were not generated by sshd-keygen service or similar principles depending on operating system. This is also helpful when running this role in containers, where is no service running either. The keys are generally readable only by root, but in RHEL and Fedora, they are readable also by group ssh_keys, which is used for hostbased authentication. This should fix #111 2020-10-23 21:10:00 +02:00			`# This lists by default all hostkeys as rendered in the generated configuration`
			`# file ("auto"). Before attempting to run sshd (either for verification of`
			`# configuration or restarting), we make sure the keys exist and have correct`
			`# permissions. To disable this check, set sshd_verify_hostkeys to false`
			`sshd_verify_hostkeys: "auto"`
Moves internal non-overridable variables out of defaults 2022-08-17 14:05:10 +02:00
Move defaults to vars/main.yml 2021-06-02 14:21:40 +02:00			`sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"`
			`sshd_hostkey_group: "{{ __sshd_hostkey_group }}"`
			`sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"`
Implement hostkey checks This is useful during provisioning, when the keys were not generated by sshd-keygen service or similar principles depending on operating system. This is also helpful when running this role in containers, where is no service running either. The keys are generally readable only by root, but in RHEL and Fedora, they are readable also by group ssh_keys, which is used for hostbased authentication. This should fix #111 2020-10-23 21:10:00 +02:00
Rename sshd_namespace_append to sshd_config_namespace 2021-06-10 21:46:06 +02:00			`# instead of replacing the whole configuration file, just add a specified`
Support for appending a snippet to configuration file 2021-05-20 16:52:29 +02:00			`# snippet`
Rename sshd_namespace_append to sshd_config_namespace 2021-06-10 21:46:06 +02:00			`sshd_config_namespace: null`
Add support for managing selinux and firewall on RHEL 2022-12-13 17:55:13 +01:00
			`# If this option is enabled, the role will configure firewall to open the ports`
			`# defined in the configuration. This works only on Red Hat based systems.`
			`sshd_manage_firewall: false`

			`# If this option is enabled, the role will configure selinux to allow sshd to`
			`# bind the ports defined in the configuration. This works only on Red Hat based systems.`
			`sshd_manage_selinux: false`