--- ### USER OPTIONS # Set to false to disable this role completely sshd_enable: true # Don't apply OS defaults when set to true sshd_skip_defaults: false # If the below is false, don't manage the service or reload the SSH # daemon at all sshd_manage_service: true # If the below is false, don't reload the ssh daemon on change sshd_allow_reload: true # If the below is true, also install service files from the templates pointed # to by the `sshd_service_template_*` variables sshd_install_service: false sshd_service_template_service: sshd.service.j2 sshd_service_template_at_service: sshd@.service.j2 sshd_service_template_socket: sshd.socket.j2 # If the below is true, create a backup of the config file when the template is copied sshd_backup: true # If the below is true, also install the sysconfig file with the below options # (useful only on Fedora and RHEL) sshd_sysconfig: false # If the below is true the role will override also crypto policy configuration sshd_sysconfig_override_crypto_policy: false # If the below is set to non-zero value, the OpenSSL random generator is # reseeded with the given amount of random bytes (from getrandom(2) # with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled. # This is not recommended to enable if you do not have hardware random number # generator sshd_sysconfig_use_strong_rng: 0 # Empty dicts to avoid errors sshd: {} # The path to sshd_config file. This is useful when creating an included # configuration file snippet or configuring second sshd service sshd_config_file: "{{ __sshd_config_file }}" ### VARS DEFAULTS ### The following are defaults for OS specific configuration in var files in ### this role. They should not be set directly by role users. sshd_packages: [] sshd_config_owner: "{{ __sshd_config_owner }}" sshd_config_group: "{{ __sshd_config_group }}" sshd_config_mode: "{{ __sshd_config_mode }}" sshd_binary: /usr/sbin/sshd sshd_service: sshd sshd_sftp_server: /usr/lib/openssh/sftp-server # This lists by default all hostkeys as rendered in the generated configuration # file ("auto"). Before attempting to run sshd (either for verification of # configuration or restarting), we make sure the keys exist and have correct # permissions. To disable this check, set sshd_verify_hostkeys to false sshd_verify_hostkeys: "auto" # The list of hostkeys to check when there are none listed in configuration file. # This is usually the case when the selection is up to the OpenSSH defaults or # drop-in directory is used. __sshd_verify_hostkeys_default: [] sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" sshd_hostkey_group: "{{ __sshd_hostkey_group }}" sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}" # instead of replacing the whole configuration file, just add a specified # snippet sshd_config_namespace: null ### These variables are used by role internals and should not be used. __sshd_defaults: {} __sshd_os_supported: no __sshd_sysconfig_supports_crypto_policy: false __sshd_sysconfig_supports_use_strong_rng: false __sshd_runtime_directory: false __sshd_runtime_directory_mode: "0755" # If the system supports drop-in directory, it is configured in this variable. It is used # to distinguish if we are writing a configuration snippet or we should write defaults. __sshd_drop_in_dir: false # this is the path to the main sshd_config which is checked for Include directive when # drop-in directory is used __sshd_main_config_file: false