mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-04 19:03:29 +01:00
70808e97fc
Use `true/false` instead of `yes/no` Ensure use of FQCN for builtin modules Use correct spacing in Jinja expressions All tasks and plays must have a `name`, and the `name` string must begin with an uppercase letter Use `ansible.posix.mount` instead of `ansible.builtin.mount` Use `set -o pipefail` with `shell` module where supported by the platform shell Signed-off-by: Rich Megginson <rmeggins@redhat.com>
32 lines
1.2 KiB
YAML
32 lines
1.2 KiB
YAML
---
|
|
__sshd_packages:
|
|
- net-misc/openssh
|
|
__sshd_sftp_server: /usr/lib64/misc/sftp-server
|
|
__sshd_defaults:
|
|
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
|
# Replace tcp keepalive with unspoofable keepalive
|
|
TCPKeepAlive: false
|
|
ClientAliveInterval: 300
|
|
ClientAliveCountMax: 2
|
|
# Secure cipher and algorithm settings
|
|
HostKey:
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com"
|
|
KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
|
|
Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
|
|
MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
|
|
AuthorizedKeysFile: .ssh/authorized_keys
|
|
# Security settings
|
|
PasswordAuthentication: false
|
|
ChallengeResponseAuthentication: false
|
|
PermitRootLogin: false
|
|
# Login settings
|
|
UsePAM: true
|
|
PrintMotd: false
|
|
PrintLastLog: true
|
|
# Disable most forwarding types for more security
|
|
AllowAgentForwarding: false
|
|
AllowTcpForwarding: false
|
|
AllowStreamLocalForwarding: false
|
|
__sshd_os_supported: true
|