mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-10 13:43:30 +01:00
dd820d1c24
This is useful during provisioning, when the keys were not generated by sshd-keygen service or similar principles depending on operating system. This is also helpful when running this role in containers, where is no service running either. The keys are generally readable only by root, but in RHEL and Fedora, they are readable also by group ssh_keys, which is used for hostbased authentication. This should fix #111
31 lines
1,021 B
YAML
31 lines
1,021 B
YAML
---
|
|
sshd_packages:
|
|
- openssh
|
|
- openssh-server
|
|
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
|
__sshd_defaults:
|
|
HostKey:
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
- /etc/ssh/ssh_host_ecdsa_key
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
SyslogFacility: AUTHPRIV
|
|
AuthorizedKeysFile: .ssh/authorized_keys
|
|
PasswordAuthentication: yes
|
|
ChallengeResponseAuthentication: no
|
|
GSSAPIAuthentication: yes
|
|
GSSAPICleanupCredentials: no
|
|
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
|
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
|
UsePAM: yes
|
|
X11Forwarding: yes
|
|
UsePrivilegeSeparation: sandbox
|
|
AcceptEnv:
|
|
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
- XMODIFIERS
|
|
Subsystem: "sftp {{ sshd_sftp_server }}"
|
|
__sshd_os_supported: yes
|
|
__sshd_sysconfig_supports_use_strong_rng: true
|
|
sshd_hostkey_group: ssh_keys
|
|
sshd_hostkey_mode: "0640"
|