--- ### USER OPTIONS # Set to false to disable this role completely sshd_enable: true # Don't apply OS defaults when set to true sshd_skip_defaults: false # If the below is false, don't manage the service or reload the SSH # daemon at all sshd_manage_service: true # If the below is false, don't reload the ssh daemon on change sshd_allow_reload: true # If the below is true, also install service files from the templates pointed # to by the `sshd_service_template_*` variables sshd_install_service: false sshd_service_template_service: sshd.service.j2 sshd_service_template_at_service: sshd@.service.j2 sshd_service_template_socket: sshd.socket.j2 # If the below is true, create a backup of the config file when the template is copied sshd_backup: true # If the below is true, also install the sysconfig file with the below options # (useful only on Fedora and RHEL) sshd_sysconfig: false # If the below is true the role will override also crypto policy configuration sshd_sysconfig_override_crypto_policy: false # If the below is set to non-zero value, the OpenSSL random generator is # reseeded with the given amount of random bytes (from getrandom(2) # with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled. # This is not recommended to enable if you do not have hardware random number # generator sshd_sysconfig_use_strong_rng: 0 # Empty dicts to avoid errors sshd: {} # The path to sshd_config file. This is useful when creating an included # configuration file snippet or configuring second sshd service sshd_config_file: "{{ __sshd_config_file }}" # If not empty, list of trusted CA keys sshd_trusted_user_ca_keys_list: [] # If not empty, dict containing principals for users in the os sshd_principals: {} ### VARS DEFAULTS ### The following are defaults for OS specific configuration in var files in ### this role. They should not be set directly by role users, unless they know ### what they are doing, e.g. installing extra packages or installing an ### alternative SystemD service file sshd_packages: "{{ __sshd_packages }}" sshd_config_owner: "{{ __sshd_config_owner }}" sshd_config_group: "{{ __sshd_config_group }}" sshd_config_mode: "{{ __sshd_config_mode }}" sshd_binary: "{{ __sshd_binary }}" sshd_service: "{{ __sshd_service }}" sshd_sftp_server: "{{ __sshd_sftp_server }}" sshd_drop_in_dir_mode: "{{ __sshd_drop_in_dir_mode }}" sshd_main_config_file: "{{ __sshd_main_config_file }}" sshd_trustedusercakeys_directory_owner: "{{ __sshd_trustedusercakeys_directory_owner }}" sshd_trustedusercakeys_directory_group: "{{ __sshd_trustedusercakeys_directory_group }}" sshd_trustedusercakeys_directory_mode: "{{ __sshd_trustedusercakeys_directory_mode }}" sshd_trustedusercakeys_file_owner: "{{ __sshd_trustedusercakeys_file_owner }}" sshd_trustedusercakeys_file_group: "{{ __sshd_trustedusercakeys_file_group }}" sshd_trustedusercakeys_file_mode: "{{ __sshd_trustedusercakeys_file_mode }}" sshd_authorizedprincipals_directory_owner: "{{ __sshd_authorizedprincipals_directory_owner }}" sshd_authorizedprincipals_directory_group: "{{ __sshd_authorizedprincipals_directory_group }}" sshd_authorizedprincipals_directory_mode: "{{ __sshd_authorizedprincipals_directory_mode }}" sshd_authorizedprincipals_file_owner: "{{ __sshd_authorizedprincipals_file_owner }}" sshd_authorizedprincipals_file_group: "{{ __sshd_authorizedprincipals_file_group }}" sshd_authorizedprincipals_file_mode: "{{ __sshd_authorizedprincipals_file_mode }}" # This lists by default all hostkeys as rendered in the generated configuration # file ("auto"). Before attempting to run sshd (either for verification of # configuration or restarting), we make sure the keys exist and have correct # permissions. To disable this check, set sshd_verify_hostkeys to false sshd_verify_hostkeys: "auto" sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" sshd_hostkey_group: "{{ __sshd_hostkey_group }}" sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}" # instead of replacing the whole configuration file, just add a specified # snippet sshd_config_namespace: null # If this option is enabled, the role will configure firewall to open the ports # defined in the configuration. This works only on Red Hat based systems. sshd_manage_firewall: false # If this option is enabled, the role will configure selinux to allow sshd to # bind the ports defined in the configuration. This works only on Red Hat based systems. sshd_manage_selinux: false