mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-24 20:10:20 +01:00
0bc6d8f40b
* Role configured to accept SSH connection via SSH certificates * Works with or without principals and ansible-lint updated * add test for SSH certificates authentication with principals * Add configuration to run tests for SSH certificates authentication with principals * tasks to use SSH certificates grouped into one file * Update README.md
103 lines
4.3 KiB
YAML
103 lines
4.3 KiB
YAML
---
|
|
### USER OPTIONS
|
|
# Set to false to disable this role completely
|
|
sshd_enable: true
|
|
|
|
# Don't apply OS defaults when set to true
|
|
sshd_skip_defaults: false
|
|
|
|
# If the below is false, don't manage the service or reload the SSH
|
|
# daemon at all
|
|
sshd_manage_service: true
|
|
|
|
# If the below is false, don't reload the ssh daemon on change
|
|
sshd_allow_reload: true
|
|
|
|
# If the below is true, also install service files from the templates pointed
|
|
# to by the `sshd_service_template_*` variables
|
|
sshd_install_service: false
|
|
sshd_service_template_service: sshd.service.j2
|
|
sshd_service_template_at_service: sshd@.service.j2
|
|
sshd_service_template_socket: sshd.socket.j2
|
|
|
|
# If the below is true, create a backup of the config file when the template is copied
|
|
sshd_backup: true
|
|
|
|
# If the below is true, also install the sysconfig file with the below options
|
|
# (useful only on Fedora and RHEL)
|
|
sshd_sysconfig: false
|
|
|
|
# If the below is true the role will override also crypto policy configuration
|
|
sshd_sysconfig_override_crypto_policy: false
|
|
|
|
# If the below is set to non-zero value, the OpenSSL random generator is
|
|
# reseeded with the given amount of random bytes (from getrandom(2)
|
|
# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled.
|
|
# This is not recommended to enable if you do not have hardware random number
|
|
# generator
|
|
sshd_sysconfig_use_strong_rng: 0
|
|
|
|
# Empty dicts to avoid errors
|
|
sshd: {}
|
|
|
|
# The path to sshd_config file. This is useful when creating an included
|
|
# configuration file snippet or configuring second sshd service
|
|
sshd_config_file: "{{ __sshd_config_file }}"
|
|
|
|
# If not empty, list of trusted CA keys
|
|
sshd_trusted_user_ca_keys_list: []
|
|
|
|
# If not empty, dict containing principals for users in the os
|
|
sshd_principals: {}
|
|
|
|
### VARS DEFAULTS
|
|
### The following are defaults for OS specific configuration in var files in
|
|
### this role. They should not be set directly by role users, unless they know
|
|
### what they are doing, e.g. installing extra packages or installing an
|
|
### alternative SystemD service file
|
|
sshd_packages: "{{ __sshd_packages }}"
|
|
sshd_config_owner: "{{ __sshd_config_owner }}"
|
|
sshd_config_group: "{{ __sshd_config_group }}"
|
|
sshd_config_mode: "{{ __sshd_config_mode }}"
|
|
sshd_binary: "{{ __sshd_binary }}"
|
|
sshd_service: "{{ __sshd_service }}"
|
|
sshd_sftp_server: "{{ __sshd_sftp_server }}"
|
|
|
|
sshd_drop_in_dir_mode: "{{ __sshd_drop_in_dir_mode }}"
|
|
sshd_main_config_file: "{{ __sshd_main_config_file }}"
|
|
|
|
sshd_trustedusercakeys_directory_owner: "{{ __sshd_trustedusercakeys_directory_owner }}"
|
|
sshd_trustedusercakeys_directory_group: "{{ __sshd_trustedusercakeys_directory_group }}"
|
|
sshd_trustedusercakeys_directory_mode: "{{ __sshd_trustedusercakeys_directory_mode }}"
|
|
sshd_trustedusercakeys_file_owner: "{{ __sshd_trustedusercakeys_file_owner }}"
|
|
sshd_trustedusercakeys_file_group: "{{ __sshd_trustedusercakeys_file_group }}"
|
|
sshd_trustedusercakeys_file_mode: "{{ __sshd_trustedusercakeys_file_mode }}"
|
|
|
|
sshd_authorizedprincipals_directory_owner: "{{ __sshd_authorizedprincipals_directory_owner }}"
|
|
sshd_authorizedprincipals_directory_group: "{{ __sshd_authorizedprincipals_directory_group }}"
|
|
sshd_authorizedprincipals_directory_mode: "{{ __sshd_authorizedprincipals_directory_mode }}"
|
|
sshd_authorizedprincipals_file_owner: "{{ __sshd_authorizedprincipals_file_owner }}"
|
|
sshd_authorizedprincipals_file_group: "{{ __sshd_authorizedprincipals_file_group }}"
|
|
sshd_authorizedprincipals_file_mode: "{{ __sshd_authorizedprincipals_file_mode }}"
|
|
|
|
# This lists by default all hostkeys as rendered in the generated configuration
|
|
# file ("auto"). Before attempting to run sshd (either for verification of
|
|
# configuration or restarting), we make sure the keys exist and have correct
|
|
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
|
sshd_verify_hostkeys: "auto"
|
|
|
|
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
|
|
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
|
|
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
|
|
|
|
# instead of replacing the whole configuration file, just add a specified
|
|
# snippet
|
|
sshd_config_namespace: null
|
|
|
|
# If this option is enabled, the role will configure firewall to open the ports
|
|
# defined in the configuration. This works only on Red Hat based systems.
|
|
sshd_manage_firewall: false
|
|
|
|
# If this option is enabled, the role will configure selinux to allow sshd to
|
|
# bind the ports defined in the configuration. This works only on Red Hat based systems.
|
|
sshd_manage_selinux: false
|