More distro supported, better docs

README.md

@@ -1,20 +1,24 @@
 # Ansible OpenSSH Daemon Role
 
-This role configures OpenSSH. It:
+This role configures the OpenSSH daemon. It:
 
-- By default, with no set options, creates an empty configuration file.
+- By default configures the SSH daemon with the normal OS defaults. Defaults can be disabled by setting `sshd_skip_defaults: true`
-- Can use a dict of the form:
+- Supports use of a dict to configure items:
-```
+
+```yaml
 sshd:
   Compression: delayed
   ListenAddress:
     - 0.0.0.0
-    - ::
 ```
-- Can also use scalar variables of the form `sshd_ListenAddress`
-- Scalar override dict values.
-- Allows the use of booleans for keys with yes/no values, including those with additional non-boolean values such as `Compression`, which has the additional `delayed` option
-- Tests the sshd_config before reloading sshd
-- Template is programmatically generated. See the files in the meta folder.
 
-It should cover all valid SSH options.
+- Can use scalars rather than a dict. Scalar values override dict values:
+
+```yaml
+sshd_Compression: off
+```
+
+- Correctly interprets booleans as yes and no in sshd configuration
+- Supports lists for multi line configuration items
+- Tests the sshd_config before reloading sshd
+- Template is programmatically generated. See the files in the meta folder. It should cover all valid SSH options.

meta/main.yml

@@ -1,20 +1,21 @@
 ---
 galaxy_info:
   author: Matt Willsher
-  description: OpenSSH Deamon configuration
+  description: OpenSSH SSH deamon configuration
   company: Willsher Systems
-  license: MIT
+  license: GPLv3
   min_ansible_version: 1.8
   platforms:
   - name: Ubuntu
     versions:
-    - all
+    - trusty
-  - name: Debian
-    versions:
-    - all
   - name: FreeBSD
     version:
-    - all
+    - 10.1
+  - name: EL
+    versions:
+    - 6
+    - 7
   categories:
   - system
 dependencies: []

tasks/main.yml

@@ -2,8 +2,8 @@
 - name: Role set up
   include_vars: "{{ item }}"
   with_first_found:
-   - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
    - default.yml
 
@@ -28,3 +28,4 @@
     name: "{{ sshd_service }}"
     enabled: true
     state: running
+

vars/Amazon.yml

@@ -0,0 +1,22 @@
+---
+sshd_config_mode: '0644'
+sshd_packages:
+  - openssh
+  - openssh-server
+sshd_sftp_server: /usr/libexec/openssh/sftp-server
+sshd:
+  SyslogFacility: AUTHPRIV
+  PermitRootLogin: forced-commands-only
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  UsePAM: yes
+  X11Forwarding: yes
+  PrintLastLog: yes
+  UsePrivilegeSeparation: sandbox
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: "sftp {{ sshd_sftp_server }}"

vars/Debian.yml

@@ -5,10 +5,34 @@ sshd_packages:
   - openssh-blacklist
   - openssh-blacklist-extra
   - openssh-sftp-server
+sshd_config_mode: "0644"
 sshd_defaults:
+  Port: 22
+  Protocol: 2
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+  UsePrivilegeSeperation: yes
+  KeyRegenerationInterval: 3600
+  ServerKeyBits: 768
+  SyslogFacility: AUTH
+  LogLevel: INFO
+  LoginGraceTime: 120
+  PermitRootLogin: yes
+  StrictModes: yes
+  RSAAuthentication: yes
+  PubkeyAuthentication: yes
+  IgnoreRhosts: yes
+  RhostsRSAAuthentication: no
+  HostbaseAuthentication: no
+  PermitEmptyPasswords: no
   ChallengeResponseAuthentication: no
   X11Forwarding: yes
+  X11DisplayOffset: 10
   PrintMotd: no
+  PrintLastLog: yes
+  TCPKeepAlive: yes
   AcceptEnv: LANG LC_*
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes

vars/FreeBSD.yml

@@ -1,3 +1,4 @@
 ---
 sshd_config_group: wheel
+sshd_config_mode: "0644"
 sshd_sftp_server: /usr/libexec/sftp-server

vars/RedHat_6.yml

@@ -17,4 +17,4 @@ sshd_defaults:
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   X11Forwarding: yes
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"

vars/RedHat_7.yml

@@ -21,4 +21,4 @@ sshd_defaults:
     - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"

vars/Ubuntu.yml

@@ -8,7 +8,7 @@ sshd_packages:
 sshd_defaults:
   Port: 22
   Protocol: 2
-  HostKey: 
+  HostKey:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
@@ -34,5 +34,5 @@ sshd_defaults:
   PrintLastLog: yes
   TCPKeepAlive: yes
   AcceptEnv: LANG LC_*
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes