mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-25 10:00:19 +01:00
Merge branch 'release/0.1.0'
This commit is contained in:
commit
db123d0884
18 changed files with 443 additions and 130 deletions
2
CHANGELOG
Normal file
2
CHANGELOG
Normal file
|
@ -0,0 +1,2 @@
|
|||
0.1.0 25 December 2014 Matt Willsher <matt@willsher.systems>
|
||||
- Initial release
|
67
README.md
67
README.md
|
@ -1,20 +1,65 @@
|
|||
# Ansible OpenSSH Daemon Role
|
||||
|
||||
This role configures OpenSSH. It:
|
||||
This role configures the OpenSSH daemon. It:
|
||||
|
||||
- By default, with no set options, creates an empty configuration file.
|
||||
- Can use a dict of the form:
|
||||
```
|
||||
- By default configures the SSH daemon with the normal OS defaults. Defaults can be disabled by setting `sshd_skip_defaults: true`
|
||||
- Supports use of a dict to configure items:
|
||||
|
||||
```yaml
|
||||
sshd:
|
||||
Compression: delayed
|
||||
ListenAddress:
|
||||
- 0.0.0.0
|
||||
- ::
|
||||
```
|
||||
- Can also use scalar variables of the form `sshd_ListenAddress`
|
||||
- Scalar override dict values.
|
||||
- Allows the use of booleans for keys with yes/no values, including those with additional non-boolean values such as `Compression`, which has the additional `delayed` option
|
||||
- Tests the sshd_config before reloading sshd
|
||||
- Template is programmatically generated. See the files in the meta folder.
|
||||
|
||||
It should cover all valid SSH options.
|
||||
- Can use scalars rather than a dict. Scalar values override dict values:
|
||||
|
||||
```yaml
|
||||
sshd_Compression: off
|
||||
```
|
||||
|
||||
- Correctly interprets booleans as yes and no in sshd configuration
|
||||
- Supports lists for multi line configuration items:
|
||||
|
||||
```yaml
|
||||
sshd_ListenAddress:
|
||||
- 0.0.0.0
|
||||
- ::
|
||||
```
|
||||
|
||||
- Tests the sshd_config before reloading sshd
|
||||
- Template is programmatically generated. See the files in the meta folder. It should cover all valid SSH options. To regenerate the template, in the meta directory run `./make_option_list >../templates/sshd_config.j2`
|
||||
- Supports match section either via Match in the sshd dict, sshd_match and any of sshd_match_1 through sshd_match_9. Match items can either be a dict or an array.
|
||||
|
||||
## Complete example
|
||||
|
||||
```yaml
|
||||
---
|
||||
sshd_skip_defaults: true
|
||||
sshd:
|
||||
Compression: true
|
||||
ListenAddres:
|
||||
- "0.0.0.0"
|
||||
- "::"
|
||||
GSSAPIAuthentication: no
|
||||
Match:
|
||||
- Condition: "Group user"
|
||||
GSSAPIAuthentication: yes
|
||||
sshd_UsePrivilegeSeparation: sandbox
|
||||
sshd_match:
|
||||
- Condition: "Group xusers"
|
||||
X11Forwarding: yes
|
||||
```
|
||||
|
||||
Results in:
|
||||
|
||||
```
|
||||
# Ansible managed: ...
|
||||
Compression yes
|
||||
GSSAPIAuthentication no
|
||||
UsePrivilegeSeparation sandbox
|
||||
Match Group user
|
||||
GSSAPIAuthentication yes
|
||||
Match Group xusers
|
||||
X11Forwarding yes
|
||||
```
|
||||
|
|
|
@ -12,6 +12,7 @@ sshd: {}
|
|||
sshd_packages: []
|
||||
sshd_config_owner: root
|
||||
sshd_config_group: root
|
||||
sshd_config_mode: "0600"
|
||||
sshd_config_file: /etc/ssh/sshd_config
|
||||
sshd_binary: /usr/sbin/sshd
|
||||
sshd_service: sshd
|
||||
|
|
|
@ -1,13 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
{% macro render_option(key,override) %}
|
||||
{% if override is defined %}
|
||||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
|
||||
{% set value = sshd_defaults[key] %}
|
||||
{% endif %}
|
||||
{% macro render_option(key,value,indent=false) %}
|
||||
{% if value is defined %}
|
||||
{% if indent == true %} {% endif %}
|
||||
{% if value is sameas true %}
|
||||
{{ key }} yes
|
||||
{% elif value is sameas false %}
|
||||
|
@ -21,3 +15,20 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endmacro %}
|
||||
{% macro body_option(key,override) %}
|
||||
{% if override is defined %}
|
||||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
|
||||
{% set value = sshd_defaults[key] %}
|
||||
{% endif %}
|
||||
{{ render_option(key,value) -}}
|
||||
{% endmacro %}
|
||||
{% macro match_block(match_list) %}
|
||||
{% if match_list["Condition"] is defined %}
|
||||
{% set match_list = [ match_list ]%}
|
||||
{% endif %}
|
||||
{% if match_list is iterable %}
|
||||
{% for match in match_list %}
|
||||
Match {{ match["Condition"] }}
|
3
meta/20_middle.j2
Normal file
3
meta/20_middle.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endmacro %}
|
33
meta/30_bottom.j2
Normal file
33
meta/30_bottom.j2
Normal file
|
@ -0,0 +1,33 @@
|
|||
{% if sshd['Match'] is defined %}
|
||||
{{ match_block(sshd['Match']) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_1 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_2 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_3 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_4 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_5 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_6 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_7 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_8 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_9 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
|
@ -1,20 +1,24 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: Matt Willsher
|
||||
description: OpenSSH Deamon configuration
|
||||
description: OpenSSH SSH deamon configuration
|
||||
company: Willsher Systems
|
||||
license: MIT
|
||||
license: GPLv3
|
||||
min_ansible_version: 1.8
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- all
|
||||
- name: Debian
|
||||
versions:
|
||||
- all
|
||||
- wheezy
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- trusty
|
||||
- name: FreeBSD
|
||||
version:
|
||||
- all
|
||||
- 10.1
|
||||
- name: EL
|
||||
versions:
|
||||
- 6
|
||||
- 7
|
||||
categories:
|
||||
- system
|
||||
dependencies: []
|
||||
|
|
|
@ -1,7 +1,16 @@
|
|||
#!/bin/sh
|
||||
cat macros.j2
|
||||
cat 10_top.j2
|
||||
|
||||
cat ssh_options |
|
||||
cat options_match |
|
||||
awk '{
|
||||
print "{{ render_option(\""$1"\",sshd_"$1") -}}"
|
||||
print "{{ render_option(\""$1"\",match[\""$1"\"],true) -}}"
|
||||
}'
|
||||
|
||||
cat 20_middle.j2
|
||||
|
||||
cat options_body |
|
||||
awk '{
|
||||
print "{{ body_option(\""$1"\",sshd_"$1") -}}"
|
||||
}'
|
||||
|
||||
cat 30_bottom.j2
|
||||
|
|
33
meta/options_match
Normal file
33
meta/options_match
Normal file
|
@ -0,0 +1,33 @@
|
|||
AllowAgentForwarding
|
||||
AllowGroups
|
||||
AllowTcpForwarding
|
||||
AllowUsers
|
||||
AuthenticationMethods
|
||||
AuthorizedKeysCommand
|
||||
AuthorizedKeysCommandUser
|
||||
AuthorizedKeysFile
|
||||
AuthorizedPrincipalsFile
|
||||
Banner
|
||||
ChrootDirectory
|
||||
DenyGroups
|
||||
DenyUsers
|
||||
ForceCommand
|
||||
GatewayPorts
|
||||
GSSAPIAuthentication
|
||||
HostbasedAuthentication
|
||||
HostbasedUsesNameFromPacketOnly
|
||||
KbdInteractiveAuthentication
|
||||
KerberosAuthentication
|
||||
MaxAuthTries
|
||||
MaxSessions
|
||||
PasswordAuthentication
|
||||
PermitEmptyPasswords
|
||||
PermitOpen
|
||||
PermitRootLogin
|
||||
PermitTunnel
|
||||
PubkeyAuthentication
|
||||
RhostsRSAAuthentication
|
||||
RSAAuthentication
|
||||
X11DisplayOffset
|
||||
X11Forwarding
|
||||
X11UseLocalHost
|
|
@ -2,6 +2,7 @@
|
|||
- name: Role set up
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
|
||||
- "{{ ansible_distribution }}.yml"
|
||||
- "{{ ansible_os_family }}.yml"
|
||||
- default.yml
|
||||
|
@ -13,17 +14,13 @@
|
|||
state=installed
|
||||
with_items: sshd_packages
|
||||
|
||||
- name: Debug config
|
||||
debug: var=sshd
|
||||
when: sshd_debug is defined
|
||||
|
||||
- name: Configured
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: 644
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
notify: check and reload sshd
|
||||
|
||||
- name: Service enabled and running
|
||||
|
@ -31,3 +28,4 @@
|
|||
name: "{{ sshd_service }}"
|
||||
enabled: true
|
||||
state: running
|
||||
|
||||
|
|
|
@ -1,13 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
{% macro render_option(key,override) %}
|
||||
{% if override is defined %}
|
||||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
|
||||
{% set value = sshd_defaults[key] %}
|
||||
{% endif %}
|
||||
{% macro render_option(key,value,indent=false) %}
|
||||
{% if value is defined %}
|
||||
{% if indent == true %} {% endif %}
|
||||
{% if value is sameas true %}
|
||||
{{ key }} yes
|
||||
{% elif value is sameas false %}
|
||||
|
@ -21,88 +15,174 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endmacro %}
|
||||
{{ render_option("Port",sshd_Port) -}}
|
||||
{{ render_option("ListenAddress",sshd_ListenAddress) -}}
|
||||
{{ render_option("Protocol",sshd_Protocol) -}}
|
||||
{{ render_option("HostKey",sshd_HostKey) -}}
|
||||
{{ render_option("AcceptEnv",sshd_AcceptEnv) -}}
|
||||
{{ render_option("AddressFamily",sshd_AddressFamily) -}}
|
||||
{{ render_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
|
||||
{{ render_option("AllowGroups",sshd_AllowGroups) -}}
|
||||
{{ render_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
|
||||
{{ render_option("AllowUsers",sshd_AllowUsers) -}}
|
||||
{{ render_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
|
||||
{{ render_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
|
||||
{{ render_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
|
||||
{{ render_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
|
||||
{{ render_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
|
||||
{{ render_option("Banner",sshd_Banner) -}}
|
||||
{{ render_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
|
||||
{{ render_option("ChrootDirectory",sshd_ChrootDirectory) -}}
|
||||
{{ render_option("Ciphers",sshd_Ciphers) -}}
|
||||
{{ render_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}}
|
||||
{{ render_option("ClientAliveInterval",sshd_ClientAliveInterval) -}}
|
||||
{{ render_option("Compression",sshd_Compression) -}}
|
||||
{{ render_option("DenyGroups",sshd_DenyGroups) -}}
|
||||
{{ render_option("DenyUsers",sshd_DenyUsers) -}}
|
||||
{{ render_option("ForceCommand",sshd_ForceCommand) -}}
|
||||
{{ render_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
|
||||
{{ render_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
|
||||
{{ render_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
|
||||
{{ render_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
|
||||
{{ render_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
|
||||
{{ render_option("GatewayPorts",sshd_GatewayPorts) -}}
|
||||
{{ render_option("HPNBufferSize",sshd_HPNBufferSize) -}}
|
||||
{{ render_option("HPNDisabled",sshd_HPNDisabled) -}}
|
||||
{{ render_option("HostCertificate",sshd_HostCertificate) -}}
|
||||
{{ render_option("HostKeyAgent",sshd_HostKeyAgent) -}}
|
||||
{{ render_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
|
||||
{{ render_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
|
||||
{{ render_option("IPQoS",sshd_IPQoS) -}}
|
||||
{{ render_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
|
||||
{{ render_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
|
||||
{{ render_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}}
|
||||
{{ render_option("KerberosAuthentication",sshd_KerberosAuthentication) -}}
|
||||
{{ render_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}}
|
||||
{{ render_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}}
|
||||
{{ render_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}}
|
||||
{{ render_option("KexAlgorithms",sshd_KexAlgorithms) -}}
|
||||
{{ render_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}}
|
||||
{{ render_option("LogLevel",sshd_LogLevel) -}}
|
||||
{{ render_option("LoginGraceTime",sshd_LoginGraceTime) -}}
|
||||
{{ render_option("MACs",sshd_MACs) -}}
|
||||
{{ render_option("MaxAuthTries",sshd_MaxAuthTries) -}}
|
||||
{{ render_option("MaxSessions",sshd_MaxSessions) -}}
|
||||
{{ render_option("MaxStartups",sshd_MaxStartups) -}}
|
||||
{{ render_option("NoneEnabled",sshd_NoneEnabled) -}}
|
||||
{{ render_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
|
||||
{{ render_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
|
||||
{{ render_option("PermitOpen",sshd_PermitOpen) -}}
|
||||
{{ render_option("PermitRootLogin",sshd_PermitRootLogin) -}}
|
||||
{{ render_option("PermitTTY",sshd_PermitTTY) -}}
|
||||
{{ render_option("PermitTunnel",sshd_PermitTunnel) -}}
|
||||
{{ render_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
|
||||
{{ render_option("PidFile",sshd_PidFile) -}}
|
||||
{{ render_option("PrintLastLog",sshd_PrintLastLog) -}}
|
||||
{{ render_option("PrintMotd",sshd_PrintMotd) -}}
|
||||
{{ render_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
|
||||
{{ render_option("RSAAuthentication",sshd_RSAAuthentication) -}}
|
||||
{{ render_option("RekeyLimit",sshd_RekeyLimit) -}}
|
||||
{{ render_option("RevokedKeys",sshd_RevokedKeys) -}}
|
||||
{{ render_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
|
||||
{{ render_option("ServerKeyBits",sshd_ServerKeyBits) -}}
|
||||
{{ render_option("StrictModes",sshd_StrictModes) -}}
|
||||
{{ render_option("Subsystem",sshd_Subsystem) -}}
|
||||
{{ render_option("SyslogFacility",sshd_SyslogFacility) -}}
|
||||
{{ render_option("TCPKeepAlive",sshd_TCPKeepAlive) -}}
|
||||
{{ render_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}}
|
||||
{{ render_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}}
|
||||
{{ render_option("UseDNS",sshd_UseDNS) -}}
|
||||
{{ render_option("UseLogin",sshd_UseLogin) -}}
|
||||
{{ render_option("UsePAM",sshd_UsePAM) -}}
|
||||
{{ render_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
|
||||
{{ render_option("VersionAddendum",sshd_VersionAddendum) -}}
|
||||
{{ render_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
|
||||
{{ render_option("X11Forwarding",sshd_X11Forwarding) -}}
|
||||
{{ render_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
|
||||
{{ render_option("XAuthLocation",sshd_XAuthLocation) -}}
|
||||
{% macro body_option(key,override) %}
|
||||
{% if override is defined %}
|
||||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
|
||||
{% set value = sshd_defaults[key] %}
|
||||
{% endif %}
|
||||
{{ render_option(key,value) -}}
|
||||
{% endmacro %}
|
||||
{% macro match_block(match_list) %}
|
||||
{% if match_list["Condition"] is defined %}
|
||||
{% set match_list = [ match_list ]%}
|
||||
{% endif %}
|
||||
{% if match_list is iterable %}
|
||||
{% for match in match_list %}
|
||||
Match {{ match["Condition"] }}
|
||||
{{ render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
|
||||
{{ render_option("AllowGroups",match["AllowGroups"],true) -}}
|
||||
{{ render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}}
|
||||
{{ render_option("AllowUsers",match["AllowUsers"],true) -}}
|
||||
{{ render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}}
|
||||
{{ render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}}
|
||||
{{ render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}}
|
||||
{{ render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}}
|
||||
{{ render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}}
|
||||
{{ render_option("Banner",match["Banner"],true) -}}
|
||||
{{ render_option("ChrootDirectory",match["ChrootDirectory"],true) -}}
|
||||
{{ render_option("DenyGroups",match["DenyGroups"],true) -}}
|
||||
{{ render_option("DenyUsers",match["DenyUsers"],true) -}}
|
||||
{{ render_option("ForceCommand",match["ForceCommand"],true) -}}
|
||||
{{ render_option("GatewayPorts",match["GatewayPorts"],true) -}}
|
||||
{{ render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}}
|
||||
{{ render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
|
||||
{{ render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
|
||||
{{ render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
|
||||
{{ render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
|
||||
{{ render_option("MaxAuthTries",match["MaxAuthTries"],true) -}}
|
||||
{{ render_option("MaxSessions",match["MaxSessions"],true) -}}
|
||||
{{ render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
|
||||
{{ render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
|
||||
{{ render_option("PermitOpen",match["PermitOpen"],true) -}}
|
||||
{{ render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
|
||||
{{ render_option("PermitTunnel",match["PermitTunnel"],true) -}}
|
||||
{{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
|
||||
{{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
|
||||
{{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
|
||||
{{ render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
|
||||
{{ render_option("X11Forwarding",match["X11Forwarding"],true) -}}
|
||||
{{ render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endmacro %}
|
||||
{{ body_option("Port",sshd_Port) -}}
|
||||
{{ body_option("ListenAddress",sshd_ListenAddress) -}}
|
||||
{{ body_option("Protocol",sshd_Protocol) -}}
|
||||
{{ body_option("HostKey",sshd_HostKey) -}}
|
||||
{{ body_option("AcceptEnv",sshd_AcceptEnv) -}}
|
||||
{{ body_option("AddressFamily",sshd_AddressFamily) -}}
|
||||
{{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
|
||||
{{ body_option("AllowGroups",sshd_AllowGroups) -}}
|
||||
{{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
|
||||
{{ body_option("AllowUsers",sshd_AllowUsers) -}}
|
||||
{{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
|
||||
{{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
|
||||
{{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
|
||||
{{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
|
||||
{{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
|
||||
{{ body_option("Banner",sshd_Banner) -}}
|
||||
{{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
|
||||
{{ body_option("ChrootDirectory",sshd_ChrootDirectory) -}}
|
||||
{{ body_option("Ciphers",sshd_Ciphers) -}}
|
||||
{{ body_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}}
|
||||
{{ body_option("ClientAliveInterval",sshd_ClientAliveInterval) -}}
|
||||
{{ body_option("Compression",sshd_Compression) -}}
|
||||
{{ body_option("DenyGroups",sshd_DenyGroups) -}}
|
||||
{{ body_option("DenyUsers",sshd_DenyUsers) -}}
|
||||
{{ body_option("ForceCommand",sshd_ForceCommand) -}}
|
||||
{{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
|
||||
{{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
|
||||
{{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
|
||||
{{ body_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
|
||||
{{ body_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
|
||||
{{ body_option("GatewayPorts",sshd_GatewayPorts) -}}
|
||||
{{ body_option("HPNBufferSize",sshd_HPNBufferSize) -}}
|
||||
{{ body_option("HPNDisabled",sshd_HPNDisabled) -}}
|
||||
{{ body_option("HostCertificate",sshd_HostCertificate) -}}
|
||||
{{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}}
|
||||
{{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
|
||||
{{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
|
||||
{{ body_option("IPQoS",sshd_IPQoS) -}}
|
||||
{{ body_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
|
||||
{{ body_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
|
||||
{{ body_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}}
|
||||
{{ body_option("KerberosAuthentication",sshd_KerberosAuthentication) -}}
|
||||
{{ body_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}}
|
||||
{{ body_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}}
|
||||
{{ body_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}}
|
||||
{{ body_option("KexAlgorithms",sshd_KexAlgorithms) -}}
|
||||
{{ body_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}}
|
||||
{{ body_option("LogLevel",sshd_LogLevel) -}}
|
||||
{{ body_option("LoginGraceTime",sshd_LoginGraceTime) -}}
|
||||
{{ body_option("MACs",sshd_MACs) -}}
|
||||
{{ body_option("MaxAuthTries",sshd_MaxAuthTries) -}}
|
||||
{{ body_option("MaxSessions",sshd_MaxSessions) -}}
|
||||
{{ body_option("MaxStartups",sshd_MaxStartups) -}}
|
||||
{{ body_option("NoneEnabled",sshd_NoneEnabled) -}}
|
||||
{{ body_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
|
||||
{{ body_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
|
||||
{{ body_option("PermitOpen",sshd_PermitOpen) -}}
|
||||
{{ body_option("PermitRootLogin",sshd_PermitRootLogin) -}}
|
||||
{{ body_option("PermitTTY",sshd_PermitTTY) -}}
|
||||
{{ body_option("PermitTunnel",sshd_PermitTunnel) -}}
|
||||
{{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
|
||||
{{ body_option("PidFile",sshd_PidFile) -}}
|
||||
{{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
|
||||
{{ body_option("PrintMotd",sshd_PrintMotd) -}}
|
||||
{{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
|
||||
{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
|
||||
{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
|
||||
{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
|
||||
{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
|
||||
{{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
|
||||
{{ body_option("StrictModes",sshd_StrictModes) -}}
|
||||
{{ body_option("Subsystem",sshd_Subsystem) -}}
|
||||
{{ body_option("SyslogFacility",sshd_SyslogFacility) -}}
|
||||
{{ body_option("TCPKeepAlive",sshd_TCPKeepAlive) -}}
|
||||
{{ body_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}}
|
||||
{{ body_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}}
|
||||
{{ body_option("UseDNS",sshd_UseDNS) -}}
|
||||
{{ body_option("UseLogin",sshd_UseLogin) -}}
|
||||
{{ body_option("UsePAM",sshd_UsePAM) -}}
|
||||
{{ body_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
|
||||
{{ body_option("VersionAddendum",sshd_VersionAddendum) -}}
|
||||
{{ body_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
|
||||
{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
|
||||
{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
|
||||
{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
|
||||
{% if sshd['Match'] is defined %}
|
||||
{{ match_block(sshd['Match']) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_1 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_2 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_3 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_4 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_5 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_6 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_7 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_8 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_9 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
|
|
22
vars/Amazon.yml
Normal file
22
vars/Amazon.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
sshd_config_mode: '0644'
|
||||
sshd_packages:
|
||||
- openssh
|
||||
- openssh-server
|
||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
sshd:
|
||||
SyslogFacility: AUTHPRIV
|
||||
PermitRootLogin: forced-commands-only
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PrintLastLog: yes
|
||||
UsePrivilegeSeparation: sandbox
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
|
@ -5,10 +5,37 @@ sshd_packages:
|
|||
- openssh-blacklist
|
||||
- openssh-blacklist-extra
|
||||
- openssh-sftp-server
|
||||
sshd_config_mode: "0644"
|
||||
sshd_defaults:
|
||||
Port: 22
|
||||
Protocol: 2
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
UsePrivilegeSeperation: yes
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 768
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: yes
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbaseAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: sftp {{ sshd_sftp_server }}
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
Match:
|
||||
- Condition: User vagrant
|
||||
MaxSessions: 10
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
sshd_config_group: wheel
|
||||
sshd_config_mode: "0644"
|
||||
sshd_sftp_server: /usr/libexec/sftp-server
|
||||
|
|
20
vars/RedHat_6.yml
Normal file
20
vars/RedHat_6.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
sshd_packages:
|
||||
- openssh
|
||||
- openssh-server
|
||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
sshd_defaults:
|
||||
Protocol: 2
|
||||
SyslogFacility: AUTHPRIV
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: yes
|
||||
UsePAM: yes
|
||||
AcceptEnv:
|
||||
- LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
X11Forwarding: yes
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
24
vars/RedHat_7.yml
Normal file
24
vars/RedHat_7.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
sshd_packages:
|
||||
- openssh
|
||||
- openssh-server
|
||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
sshd_defaults:
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
SyslogFacility: AUTHPRIV
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: yes
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
UsePrivilegeSeperation: sandbox
|
||||
AcceptEnv:
|
||||
- LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
|
@ -8,7 +8,7 @@ sshd_packages:
|
|||
sshd_defaults:
|
||||
Port: 22
|
||||
Protocol: 2
|
||||
HostKey:
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
|
@ -34,5 +34,5 @@ sshd_defaults:
|
|||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: sftp {{ sshd_sftp_server }}
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
|
|
Loading…
Reference in a new issue