mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-12 14:40:19 +01:00
860e533713
Previously no hostkeys were checked if they were not present in the generated configuration file. When the drop-in directory is used, usually, there are no hostkeys in that file and no sanity check for hostkeys was executed. This amends the "auto" value for the hostkeys check to allow checking for default hostkeys that are read by OpenSSH by default. Signed-off-by: Jakub Jelen <jjelen@redhat.com>
80 lines
2.8 KiB
YAML
80 lines
2.8 KiB
YAML
---
|
|
### USER OPTIONS
|
|
# Set to false to disable this role completely
|
|
sshd_enable: true
|
|
|
|
# Don't apply OS defaults when set to true
|
|
sshd_skip_defaults: false
|
|
|
|
# If the below is false, don't manage the service or reload the SSH
|
|
# daemon at all
|
|
sshd_manage_service: true
|
|
|
|
# If the below is false, don't reload the ssh daemon on change
|
|
sshd_allow_reload: true
|
|
|
|
# If the below is true, also install service files from the templates pointed
|
|
# to by the `sshd_service_template_*` variables
|
|
sshd_install_service: false
|
|
sshd_service_template_service: sshd.service.j2
|
|
sshd_service_template_at_service: sshd@.service.j2
|
|
sshd_service_template_socket: sshd.socket.j2
|
|
|
|
# If the below is true, create a backup of the config file when the template is copied
|
|
sshd_backup: true
|
|
|
|
# If the below is true, also install the sysconfig file with the below options
|
|
# (useful only on Fedora and RHEL)
|
|
sshd_sysconfig: false
|
|
|
|
# If the below is true the role will override also crypto policy configuration
|
|
sshd_sysconfig_override_crypto_policy: false
|
|
|
|
# If the below is set to non-zero value, the OpenSSL random generator is
|
|
# reseeded with the given amount of random bytes (from getrandom(2)
|
|
# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled.
|
|
# This is not recommended to enable if you do not have hardware random number
|
|
# generator
|
|
sshd_sysconfig_use_strong_rng: 0
|
|
|
|
|
|
# Empty dicts to avoid errors
|
|
sshd: {}
|
|
|
|
# The path to sshd_config file. This is useful when creating an included
|
|
# configuration file snippet or configuring second sshd service
|
|
sshd_config_file: "{{ __sshd_config_file }}"
|
|
|
|
### VARS DEFAULTS
|
|
### The following are defaults for OS specific configuration in var files in
|
|
### this role. They should not be set directly by role users.
|
|
sshd_packages: []
|
|
sshd_config_owner: "{{ __sshd_config_owner }}"
|
|
sshd_config_group: "{{ __sshd_config_group }}"
|
|
sshd_config_mode: "{{ __sshd_config_mode }}"
|
|
sshd_binary: /usr/sbin/sshd
|
|
sshd_service: sshd
|
|
sshd_sftp_server: /usr/lib/openssh/sftp-server
|
|
|
|
# This lists by default all hostkeys as rendered in the generated configuration
|
|
# file ("auto"). Before attempting to run sshd (either for verification of
|
|
# configuration or restarting), we make sure the keys exist and have correct
|
|
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
|
sshd_verify_hostkeys: "auto"
|
|
__sshd_verify_hostkeys_default: []
|
|
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
|
|
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
|
|
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
|
|
|
|
# instead of replacing the whole configuration file, just add a specified
|
|
# snippet
|
|
sshd_config_namespace: null
|
|
|
|
### These variables are used by role internals and should not be used.
|
|
__sshd_defaults: {}
|
|
__sshd_os_supported: no
|
|
__sshd_sysconfig_supports_crypto_policy: false
|
|
__sshd_sysconfig_supports_use_strong_rng: false
|
|
|
|
__sshd_runtime_directory: false
|
|
__sshd_runtime_directory_mode: "0755"
|