mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-08 21:03:29 +01:00
f32003f051
The usage of set_facts inside of roles is not recommended if it is used for internal variables used only inside of the role. It is recommended to use variables with smaller scope to avoid inter-dependencies between different invocations of the same role as demonstrated in the tests_alternative_file.yml later in the patch series ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
32 lines
1.2 KiB
YAML
32 lines
1.2 KiB
YAML
---
|
|
sshd_packages:
|
|
- net-misc/openssh
|
|
sshd_sftp_server: /usr/lib64/misc/sftp-server
|
|
__sshd_defaults:
|
|
Subsystem: "sftp {{ sshd_sftp_server }}"
|
|
# Replace tcp keepalive with unspoofable keepalive
|
|
TCPKeepAlive: no
|
|
ClientAliveInterval: 300
|
|
ClientAliveCountMax: 2
|
|
# Secure cipher and algorithm settings
|
|
HostKey:
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com"
|
|
KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
|
|
Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
|
|
MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
|
|
AuthorizedKeysFile: .ssh/authorized_keys
|
|
# Security settings
|
|
PasswordAuthentication: no
|
|
ChallengeResponseAuthentication: no
|
|
PermitRootLogin: no
|
|
# Login settings
|
|
UsePAM: yes
|
|
PrintMotd: no
|
|
PrintLastLog: yes
|
|
# Disable most forwarding types for more security
|
|
AllowAgentForwarding: no
|
|
AllowTcpForwarding: no
|
|
AllowStreamLocalForwarding: no
|
|
__sshd_os_supported: yes
|