Merge branch 'release/0.1.0'

CHANGELOG

@@ -0,0 +1,2 @@
+0.1.0 25 December 2014 Matt Willsher <matt@willsher.systems>
+- Initial release

README.md

@@ -1,20 +1,65 @@
 # Ansible OpenSSH Daemon Role
 
-This role configures OpenSSH. It:
+This role configures the OpenSSH daemon. It:
 
-- By default, with no set options, creates an empty configuration file.
-- Can use a dict of the form:
-```
+- By default configures the SSH daemon with the normal OS defaults. Defaults can be disabled by setting `sshd_skip_defaults: true`
+- Supports use of a dict to configure items:
+
+```yaml
 sshd:
   Compression: delayed
   ListenAddress:
     - 0.0.0.0
-    - ::
 ```
-- Can also use scalar variables of the form `sshd_ListenAddress`
-- Scalar override dict values.
-- Allows the use of booleans for keys with yes/no values, including those with additional non-boolean values such as `Compression`, which has the additional `delayed` option
-- Tests the sshd_config before reloading sshd
-- Template is programmatically generated. See the files in the meta folder.
 
-It should cover all valid SSH options.
+- Can use scalars rather than a dict. Scalar values override dict values:
+
+```yaml
+sshd_Compression: off
+```
+
+- Correctly interprets booleans as yes and no in sshd configuration
+- Supports lists for multi line configuration items:
+
+```yaml
+sshd_ListenAddress:
+  - 0.0.0.0
+  - ::
+```
+
+- Tests the sshd_config before reloading sshd
+- Template is programmatically generated. See the files in the meta folder. It should cover all valid SSH options. To regenerate the template, in the meta directory run `./make_option_list  >../templates/sshd_config.j2`
+- Supports match section either via Match in the sshd dict, sshd_match and any of sshd_match_1 through sshd_match_9. Match items can either be a dict or an array.
+
+## Complete example
+
+```yaml
+---
+sshd_skip_defaults: true
+sshd:
+  Compression: true
+  ListenAddres:
+    - "0.0.0.0"
+    - "::"
+  GSSAPIAuthentication: no
+  Match:
+    - Condition: "Group user"
+      GSSAPIAuthentication: yes
+sshd_UsePrivilegeSeparation: sandbox
+sshd_match:
+    - Condition: "Group xusers"
+      X11Forwarding: yes
+```
+
+Results in:
+
+```
+# Ansible managed: ...
+Compression yes
+GSSAPIAuthentication no
+UsePrivilegeSeparation sandbox
+Match Group user
+  GSSAPIAuthentication yes
+Match Group xusers
+  X11Forwarding yes
+```

defaults/main.yml

@@ -12,6 +12,7 @@ sshd: {}
 sshd_packages: []
 sshd_config_owner: root
 sshd_config_group: root
+sshd_config_mode: "0600"
 sshd_config_file: /etc/ssh/sshd_config
 sshd_binary: /usr/sbin/sshd
 sshd_service: sshd

meta/10_top.j2

@@ -1,13 +1,7 @@
 # {{ ansible_managed }}
-{% macro render_option(key,override) %}
-{%   if override is defined %}
-{%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
-{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
-{%     set value = sshd_defaults[key] %}
-{%   endif %}
+{% macro render_option(key,value,indent=false) %}
 {%   if value is defined %}
+{%     if indent == true %}  {% endif %}
 {%     if value is sameas true %}
 {{ key }} yes
 {%     elif value is sameas false %}
@@ -21,3 +15,20 @@
 {%     endif %}
 {%   endif %}
 {% endmacro %}
+{% macro body_option(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
+{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = sshd_defaults[key] %}
+{%   endif %}
+{{ render_option(key,value) -}}
+{% endmacro %}
+{% macro match_block(match_list) %}
+{%   if match_list["Condition"] is defined %}
+{%     set match_list = [ match_list ]%}
+{%   endif %}
+{%   if match_list is iterable %}
+{%     for match in match_list %}
+Match {{ match["Condition"] }}

meta/20_middle.j2

@@ -0,0 +1,3 @@
+{%     endfor %}
+{%   endif %}
+{% endmacro %}

meta/30_bottom.j2

@@ -0,0 +1,33 @@
+{% if sshd['Match'] is defined %}
+{{ match_block(sshd['Match']) -}}
+{% endif %}
+{% if sshd_match is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_1 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_2 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_3 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_4 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_5 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_6 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_7 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_8 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_9 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}

meta/main.yml

@@ -1,20 +1,24 @@
 ---
 galaxy_info:
   author: Matt Willsher
-  description: OpenSSH Deamon configuration
+  description: OpenSSH SSH deamon configuration
   company: Willsher Systems
-  license: MIT
+  license: GPLv3
   min_ansible_version: 1.8
   platforms:
-  - name: Ubuntu
-    versions:
-    - all
   - name: Debian
     versions:
-    - all
+    - wheezy
+  - name: Ubuntu
+    versions:
+    - trusty
   - name: FreeBSD
     version:
-    - all
+    - 10.1
+  - name: EL
+    versions:
+    - 6
+    - 7
   categories:
   - system
 dependencies: []

meta/make_option_list

@@ -1,7 +1,16 @@
 #!/bin/sh
-cat macros.j2
+cat 10_top.j2
 
-cat ssh_options |
+cat options_match |
   awk '{
-print "{{ render_option(\""$1"\",sshd_"$1") -}}"
+print "{{       render_option(\""$1"\",match[\""$1"\"],true) -}}"
 }'
+
+cat 20_middle.j2
+
+cat options_body |
+  awk '{
+print "{{ body_option(\""$1"\",sshd_"$1") -}}"
+}'
+
+cat 30_bottom.j2

meta/options_match

@@ -0,0 +1,33 @@
+AllowAgentForwarding
+AllowGroups
+AllowTcpForwarding
+AllowUsers
+AuthenticationMethods
+AuthorizedKeysCommand
+AuthorizedKeysCommandUser
+AuthorizedKeysFile
+AuthorizedPrincipalsFile
+Banner
+ChrootDirectory
+DenyGroups
+DenyUsers
+ForceCommand
+GatewayPorts
+GSSAPIAuthentication
+HostbasedAuthentication
+HostbasedUsesNameFromPacketOnly
+KbdInteractiveAuthentication
+KerberosAuthentication
+MaxAuthTries
+MaxSessions
+PasswordAuthentication
+PermitEmptyPasswords
+PermitOpen
+PermitRootLogin
+PermitTunnel
+PubkeyAuthentication
+RhostsRSAAuthentication
+RSAAuthentication
+X11DisplayOffset
+X11Forwarding
+X11UseLocalHost

tasks/main.yml

@@ -2,6 +2,7 @@
 - name: Role set up
   include_vars: "{{ item }}"
   with_first_found:
+   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
    - default.yml
@@ -13,17 +14,13 @@
     state=installed
   with_items: sshd_packages
 
-- name: Debug config
-  debug: var=sshd
-  when: sshd_debug is defined
-
 - name: Configured
   template:
     src: sshd_config.j2
     dest: "{{ sshd_config_file }}"
     owner: "{{ sshd_config_owner }}"
     group: "{{ sshd_config_group }}"
-    mode: 644
+    mode: "{{ sshd_config_mode }}"
   notify: check and reload sshd
 
 - name: Service enabled and running
@@ -31,3 +28,4 @@
     name: "{{ sshd_service }}"
     enabled: true
     state: running
+

templates/sshd_config.j2

@@ -1,13 +1,7 @@
 # {{ ansible_managed }}
-{% macro render_option(key,override) %}
-{%   if override is defined %}
-{%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
-{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
-{%     set value = sshd_defaults[key] %}
-{%   endif %}
+{% macro render_option(key,value,indent=false) %}
 {%   if value is defined %}
+{%     if indent == true %}  {% endif %}
 {%     if value is sameas true %}
 {{ key }} yes
 {%     elif value is sameas false %}
@@ -21,88 +15,174 @@
 {%     endif %}
 {%   endif %}
 {% endmacro %}
-{{ render_option("Port",sshd_Port) -}}
-{{ render_option("ListenAddress",sshd_ListenAddress) -}}
-{{ render_option("Protocol",sshd_Protocol) -}}
-{{ render_option("HostKey",sshd_HostKey) -}}
-{{ render_option("AcceptEnv",sshd_AcceptEnv) -}}
-{{ render_option("AddressFamily",sshd_AddressFamily) -}}
-{{ render_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
-{{ render_option("AllowGroups",sshd_AllowGroups) -}}
-{{ render_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
-{{ render_option("AllowUsers",sshd_AllowUsers) -}}
-{{ render_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
-{{ render_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
-{{ render_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
-{{ render_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
-{{ render_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
-{{ render_option("Banner",sshd_Banner) -}}
-{{ render_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
-{{ render_option("ChrootDirectory",sshd_ChrootDirectory) -}}
-{{ render_option("Ciphers",sshd_Ciphers) -}}
-{{ render_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}}
-{{ render_option("ClientAliveInterval",sshd_ClientAliveInterval) -}}
-{{ render_option("Compression",sshd_Compression) -}}
-{{ render_option("DenyGroups",sshd_DenyGroups) -}}
-{{ render_option("DenyUsers",sshd_DenyUsers) -}}
-{{ render_option("ForceCommand",sshd_ForceCommand) -}}
-{{ render_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
-{{ render_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
-{{ render_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
-{{ render_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
-{{ render_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
-{{ render_option("GatewayPorts",sshd_GatewayPorts) -}}
-{{ render_option("HPNBufferSize",sshd_HPNBufferSize) -}}
-{{ render_option("HPNDisabled",sshd_HPNDisabled) -}}
-{{ render_option("HostCertificate",sshd_HostCertificate) -}}
-{{ render_option("HostKeyAgent",sshd_HostKeyAgent) -}}
-{{ render_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
-{{ render_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
-{{ render_option("IPQoS",sshd_IPQoS) -}}
-{{ render_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
-{{ render_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
-{{ render_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}}
-{{ render_option("KerberosAuthentication",sshd_KerberosAuthentication) -}}
-{{ render_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}}
-{{ render_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}}
-{{ render_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}}
-{{ render_option("KexAlgorithms",sshd_KexAlgorithms) -}}
-{{ render_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}}
-{{ render_option("LogLevel",sshd_LogLevel) -}}
-{{ render_option("LoginGraceTime",sshd_LoginGraceTime) -}}
-{{ render_option("MACs",sshd_MACs) -}}
-{{ render_option("MaxAuthTries",sshd_MaxAuthTries) -}}
-{{ render_option("MaxSessions",sshd_MaxSessions) -}}
-{{ render_option("MaxStartups",sshd_MaxStartups) -}}
-{{ render_option("NoneEnabled",sshd_NoneEnabled) -}}
-{{ render_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
-{{ render_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
-{{ render_option("PermitOpen",sshd_PermitOpen) -}}
-{{ render_option("PermitRootLogin",sshd_PermitRootLogin) -}}
-{{ render_option("PermitTTY",sshd_PermitTTY) -}}
-{{ render_option("PermitTunnel",sshd_PermitTunnel) -}}
-{{ render_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
-{{ render_option("PidFile",sshd_PidFile) -}}
-{{ render_option("PrintLastLog",sshd_PrintLastLog) -}}
-{{ render_option("PrintMotd",sshd_PrintMotd) -}}
-{{ render_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
-{{ render_option("RSAAuthentication",sshd_RSAAuthentication) -}}
-{{ render_option("RekeyLimit",sshd_RekeyLimit) -}}
-{{ render_option("RevokedKeys",sshd_RevokedKeys) -}}
-{{ render_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
-{{ render_option("ServerKeyBits",sshd_ServerKeyBits) -}}
-{{ render_option("StrictModes",sshd_StrictModes) -}}
-{{ render_option("Subsystem",sshd_Subsystem) -}}
-{{ render_option("SyslogFacility",sshd_SyslogFacility) -}}
-{{ render_option("TCPKeepAlive",sshd_TCPKeepAlive) -}}
-{{ render_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}}
-{{ render_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}}
-{{ render_option("UseDNS",sshd_UseDNS) -}}
-{{ render_option("UseLogin",sshd_UseLogin) -}}
-{{ render_option("UsePAM",sshd_UsePAM) -}}
-{{ render_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
-{{ render_option("VersionAddendum",sshd_VersionAddendum) -}}
-{{ render_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
-{{ render_option("X11Forwarding",sshd_X11Forwarding) -}}
-{{ render_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
-{{ render_option("XAuthLocation",sshd_XAuthLocation) -}}
+{% macro body_option(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
+{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = sshd_defaults[key] %}
+{%   endif %}
+{{ render_option(key,value) -}}
+{% endmacro %}
+{% macro match_block(match_list) %}
+{%   if match_list["Condition"] is defined %}
+{%     set match_list = [ match_list ]%}
+{%   endif %}
+{%   if match_list is iterable %}
+{%     for match in match_list %}
+Match {{ match["Condition"] }}
+{{       render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
+{{       render_option("AllowGroups",match["AllowGroups"],true) -}}
+{{       render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}}
+{{       render_option("AllowUsers",match["AllowUsers"],true) -}}
+{{       render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}}
+{{       render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}}
+{{       render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}}
+{{       render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}}
+{{       render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}}
+{{       render_option("Banner",match["Banner"],true) -}}
+{{       render_option("ChrootDirectory",match["ChrootDirectory"],true) -}}
+{{       render_option("DenyGroups",match["DenyGroups"],true) -}}
+{{       render_option("DenyUsers",match["DenyUsers"],true) -}}
+{{       render_option("ForceCommand",match["ForceCommand"],true) -}}
+{{       render_option("GatewayPorts",match["GatewayPorts"],true) -}}
+{{       render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}}
+{{       render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
+{{       render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
+{{       render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
+{{       render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
+{{       render_option("MaxAuthTries",match["MaxAuthTries"],true) -}}
+{{       render_option("MaxSessions",match["MaxSessions"],true) -}}
+{{       render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
+{{       render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
+{{       render_option("PermitOpen",match["PermitOpen"],true) -}}
+{{       render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
+{{       render_option("PermitTunnel",match["PermitTunnel"],true) -}}
+{{       render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
+{{       render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
+{{       render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
+{{       render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
+{{       render_option("X11Forwarding",match["X11Forwarding"],true) -}}
+{{       render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{{ body_option("Port",sshd_Port) -}}
+{{ body_option("ListenAddress",sshd_ListenAddress) -}}
+{{ body_option("Protocol",sshd_Protocol) -}}
+{{ body_option("HostKey",sshd_HostKey) -}}
+{{ body_option("AcceptEnv",sshd_AcceptEnv) -}}
+{{ body_option("AddressFamily",sshd_AddressFamily) -}}
+{{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
+{{ body_option("AllowGroups",sshd_AllowGroups) -}}
+{{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
+{{ body_option("AllowUsers",sshd_AllowUsers) -}}
+{{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
+{{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
+{{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
+{{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
+{{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
+{{ body_option("Banner",sshd_Banner) -}}
+{{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
+{{ body_option("ChrootDirectory",sshd_ChrootDirectory) -}}
+{{ body_option("Ciphers",sshd_Ciphers) -}}
+{{ body_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}}
+{{ body_option("ClientAliveInterval",sshd_ClientAliveInterval) -}}
+{{ body_option("Compression",sshd_Compression) -}}
+{{ body_option("DenyGroups",sshd_DenyGroups) -}}
+{{ body_option("DenyUsers",sshd_DenyUsers) -}}
+{{ body_option("ForceCommand",sshd_ForceCommand) -}}
+{{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
+{{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
+{{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
+{{ body_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
+{{ body_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
+{{ body_option("GatewayPorts",sshd_GatewayPorts) -}}
+{{ body_option("HPNBufferSize",sshd_HPNBufferSize) -}}
+{{ body_option("HPNDisabled",sshd_HPNDisabled) -}}
+{{ body_option("HostCertificate",sshd_HostCertificate) -}}
+{{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}}
+{{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
+{{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
+{{ body_option("IPQoS",sshd_IPQoS) -}}
+{{ body_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
+{{ body_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
+{{ body_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}}
+{{ body_option("KerberosAuthentication",sshd_KerberosAuthentication) -}}
+{{ body_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}}
+{{ body_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}}
+{{ body_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}}
+{{ body_option("KexAlgorithms",sshd_KexAlgorithms) -}}
+{{ body_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}}
+{{ body_option("LogLevel",sshd_LogLevel) -}}
+{{ body_option("LoginGraceTime",sshd_LoginGraceTime) -}}
+{{ body_option("MACs",sshd_MACs) -}}
+{{ body_option("MaxAuthTries",sshd_MaxAuthTries) -}}
+{{ body_option("MaxSessions",sshd_MaxSessions) -}}
+{{ body_option("MaxStartups",sshd_MaxStartups) -}}
+{{ body_option("NoneEnabled",sshd_NoneEnabled) -}}
+{{ body_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
+{{ body_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
+{{ body_option("PermitOpen",sshd_PermitOpen) -}}
+{{ body_option("PermitRootLogin",sshd_PermitRootLogin) -}}
+{{ body_option("PermitTTY",sshd_PermitTTY) -}}
+{{ body_option("PermitTunnel",sshd_PermitTunnel) -}}
+{{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
+{{ body_option("PidFile",sshd_PidFile) -}}
+{{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
+{{ body_option("PrintMotd",sshd_PrintMotd) -}}
+{{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
+{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
+{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
+{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
+{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
+{{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
+{{ body_option("StrictModes",sshd_StrictModes) -}}
+{{ body_option("Subsystem",sshd_Subsystem) -}}
+{{ body_option("SyslogFacility",sshd_SyslogFacility) -}}
+{{ body_option("TCPKeepAlive",sshd_TCPKeepAlive) -}}
+{{ body_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}}
+{{ body_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}}
+{{ body_option("UseDNS",sshd_UseDNS) -}}
+{{ body_option("UseLogin",sshd_UseLogin) -}}
+{{ body_option("UsePAM",sshd_UsePAM) -}}
+{{ body_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
+{{ body_option("VersionAddendum",sshd_VersionAddendum) -}}
+{{ body_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
+{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
+{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
+{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
+{% if sshd['Match'] is defined %}
+{{ match_block(sshd['Match']) -}}
+{% endif %}
+{% if sshd_match is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_1 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_2 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_3 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_4 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_5 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_6 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_7 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_8 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}
+{% if sshd_match_9 is defined %}
+{{ match_block(sshd_match) -}}
+{% endif %}

vars/Amazon.yml

@@ -0,0 +1,22 @@
+---
+sshd_config_mode: '0644'
+sshd_packages:
+  - openssh
+  - openssh-server
+sshd_sftp_server: /usr/libexec/openssh/sftp-server
+sshd:
+  SyslogFacility: AUTHPRIV
+  PermitRootLogin: forced-commands-only
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  UsePAM: yes
+  X11Forwarding: yes
+  PrintLastLog: yes
+  UsePrivilegeSeparation: sandbox
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: "sftp {{ sshd_sftp_server }}"

vars/Debian.yml

@@ -5,10 +5,37 @@ sshd_packages:
   - openssh-blacklist
   - openssh-blacklist-extra
   - openssh-sftp-server
+sshd_config_mode: "0644"
 sshd_defaults:
+  Port: 22
+  Protocol: 2
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+  UsePrivilegeSeperation: yes
+  KeyRegenerationInterval: 3600
+  ServerKeyBits: 768
+  SyslogFacility: AUTH
+  LogLevel: INFO
+  LoginGraceTime: 120
+  PermitRootLogin: yes
+  StrictModes: yes
+  RSAAuthentication: yes
+  PubkeyAuthentication: yes
+  IgnoreRhosts: yes
+  RhostsRSAAuthentication: no
+  HostbaseAuthentication: no
+  PermitEmptyPasswords: no
   ChallengeResponseAuthentication: no
   X11Forwarding: yes
+  X11DisplayOffset: 10
   PrintMotd: no
+  PrintLastLog: yes
+  TCPKeepAlive: yes
   AcceptEnv: LANG LC_*
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes
+  Match:
+    - Condition: User vagrant
+      MaxSessions: 10

vars/FreeBSD.yml

@@ -1,3 +1,4 @@
 ---
 sshd_config_group: wheel
+sshd_config_mode: "0644"
 sshd_sftp_server: /usr/libexec/sftp-server

vars/RedHat_6.yml

@@ -0,0 +1,20 @@
+---
+sshd_packages:
+  - openssh
+  - openssh-server
+sshd_sftp_server: /usr/libexec/openssh/sftp-server
+sshd_defaults:
+  Protocol: 2
+  SyslogFacility: AUTHPRIV
+  PasswordAuthentication: yes
+  ChallengeResponseAuthentication: no
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: yes
+  UsePAM: yes
+  AcceptEnv:
+    - LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  X11Forwarding: yes
+  Subsystem: "sftp {{ sshd_sftp_server }}"

vars/RedHat_7.yml

@@ -0,0 +1,24 @@
+---
+sshd_packages:
+  - openssh
+  - openssh-server
+sshd_sftp_server: /usr/libexec/openssh/sftp-server
+sshd_defaults:
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+  SyslogFacility: AUTHPRIV
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PasswordAuthentication: yes
+  ChallengeResponseAuthentication: no
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: yes
+  UsePAM: yes
+  X11Forwarding: yes
+  UsePrivilegeSeperation: sandbox
+  AcceptEnv:
+    - LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: "sftp {{ sshd_sftp_server }}"

vars/Ubuntu.yml

@@ -8,7 +8,7 @@ sshd_packages:
 sshd_defaults:
   Port: 22
   Protocol: 2
-  HostKey: 
+  HostKey:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
@@ -34,5 +34,5 @@ sshd_defaults:
   PrintLastLog: yes
   TCPKeepAlive: yes
   AcceptEnv: LANG LC_*
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes