libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-10 13:43:30 +01:00
Code Issues Projects Releases Packages Wiki Activity
No description
54 commits 2 branches 70 tags 1.1 MiB
Jinja 86%
Shell 14%
Find a file
Matt Willsher e15dd828f2 Fixed typo in HostbasedAuthentication
2015-01-13 14:27:59 +00:00
defaults Add EL6 defaults 2014-12-22 10:05:09 +00:00
handlers Naming tidy up 2015-01-13 13:26:52 +00:00
meta Add networking type 2015-01-12 13:06:49 +00:00
tasks Naming tidy up 2015-01-13 13:26:52 +00:00
templates Merge from develop changes 2015-01-04 12:51:40 +00:00
tests Fix test syntax error 2015-01-12 21:15:25 +00:00
vars Fixed typo in HostbasedAuthentication 2015-01-13 14:27:59 +00:00
.travis.yml Fix idempotency test path 2015-01-12 21:20:19 +00:00
CHANGELOG Release notes for 0.2.2 2015-01-13 13:31:44 +00:00
LICENSE Use LGPL license 2014-12-26 10:09:34 +00:00
README.md Add warnings 2015-01-13 13:29:53 +00:00

README.md

Build Status Ansible Galaxy

OpenSSH Server

This role configures the OpenSSH daemon. It:

  • By default configures the SSH daemon with the normal OS defaults.
  • Works across a variety of UN*X like distributions
  • Can be configured by dict or simple variables
  • Supports Match sets
  • Supports all sshd_config options. Templates are programmatically generated. (see meta/make_option_list)
  • Tests the sshd_config before reloading sshd.

WARNING Misconfiguration of this role can lock you out of your server! Please test your configuration and its interaction with your users configuration before using in production!

WARNING Digital Ocean allows root with passwords via SSH on Debian and Ubuntu. This is not the default assigned by this module - it will set PermitRootLogin without-password which will allow access via SSH key but not via simple password. If you need this functionality, be sure to set ssh_PermitRootLogin yes for those hosts.

Requirements

Tested on:

  • Ubuntu precise, trusty
  • Debian wheezy, jessie
  • FreeBSD 10.1
  • EL 6,7 derived distributions

It will likely work on other flavours and more direct support via suitable vars/ files is welcome.

Role variables

  • Unconfigured, this role will provide a sshd_config that matches the OS default, minus the comments and in a different order.

  • Defaults can be disabled by setting sshd_skip_defaults: true

  • Supports use of a dict to configure items:

sshd:
  Compression: delayed
  ListenAddress:
    - 0.0.0.0
  • Simple variables can be used rather than a dict. Simple values override dict values:
sshd_Compression: off
  • Correctly interprets booleans as yes and no in sshd configuration
  • Supports lists for multi line configuration items:
sshd_ListenAddress:
  - 0.0.0.0
  - '::'
  • Supports match section either via Match in the sshd dict, sshd_match and any of sshd_match_1 through sshd_match_9. Match items can either be a dict or an array.

Example Playbook

---
- hosts: all
  vars:
    sshd_skip_defaults: true
    sshd:
      Compression: true
      ListenAddress:
        - "0.0.0.0"
        - "::"
      GSSAPIAuthentication: no
      Match:
        - Condition: "Group user"
          GSSAPIAuthentication: yes
    sshd_UsePrivilegeSeparation: sandbox
    sshd_match:
        - Condition: "Group xusers"
          X11Forwarding: yes
  roles:
    - role: willshersystems.sshd

Results in:

# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
Match Group user
  GSSAPIAuthentication yes
Match Group xusers
  X11Forwarding yes

License

LGPLv3

Author

Matt Willsher matt@willsher.systems

Copyright 2014,2015 Willsher Systems