mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-27 19:00:18 +01:00
dd820d1c24
This is useful during provisioning, when the keys were not generated by sshd-keygen service or similar principles depending on operating system. This is also helpful when running this role in containers, where is no service running either. The keys are generally readable only by root, but in RHEL and Fedora, they are readable also by group ssh_keys, which is used for hostbased authentication. This should fix #111
71 lines
2.5 KiB
YAML
71 lines
2.5 KiB
YAML
---
|
|
### USER OPTIONS
|
|
# Set to false to disable this role completely
|
|
sshd_enable: true
|
|
|
|
# Don't apply OS defaults when set to true
|
|
sshd_skip_defaults: false
|
|
|
|
# If the below is false, don't manage the service or reload the SSH
|
|
# daemon at all
|
|
sshd_manage_service: true
|
|
|
|
# If the below is false, don't reload the ssh daemon on change
|
|
sshd_allow_reload: true
|
|
|
|
# If the below is true, also install service files from the templates pointed
|
|
# to by the `sshd_service_template_*` variables
|
|
sshd_install_service: false
|
|
sshd_service_template_service: sshd.service.j2
|
|
sshd_service_template_at_service: sshd@.service.j2
|
|
sshd_service_template_socket: sshd.socket.j2
|
|
|
|
# If the below is true, create a backup of the config file when the template is copied
|
|
sshd_backup: true
|
|
|
|
# If the below is true, also install the sysconfig file with the below options
|
|
# (useful only on Fedora and RHEL)
|
|
sshd_sysconfig: false
|
|
|
|
# If the below is true the role will override also crypto policy configuration
|
|
sshd_sysconfig_override_crypto_policy: false
|
|
|
|
# If the below is set to non-zero value, the OpenSSL random generator is
|
|
# reseeded with the given amount of random bytes (from getrandom(2)
|
|
# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled.
|
|
# This is not recommended to enable if you do not have hadware random generator
|
|
sshd_sysconfig_use_strong_rng: 0
|
|
|
|
|
|
# Empty dicts to avoid errors
|
|
sshd: {}
|
|
|
|
# The path to sshd_config file. This is useful when creating an included
|
|
# configuration file snippet or configuring second sshd service
|
|
sshd_config_file: /etc/ssh/sshd_config
|
|
|
|
### VARS DEFAULTS
|
|
### The following are defaults for OS specific configuration in var files in
|
|
### this role. They should not be set directly by role users.
|
|
sshd_packages: []
|
|
sshd_config_owner: root
|
|
sshd_config_group: root
|
|
sshd_config_mode: "0600"
|
|
sshd_binary: /usr/sbin/sshd
|
|
sshd_service: sshd
|
|
sshd_sftp_server: /usr/lib/openssh/sftp-server
|
|
|
|
# This lists by default all hostkeys as rendered in the generated configuration
|
|
# file ("auto"). Before attempting to run sshd (either for verification of
|
|
# configuration or restarting), we make sure the keys exist and have correct
|
|
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
|
sshd_verify_hostkeys: "auto"
|
|
sshd_hostkey_owner: root
|
|
sshd_hostkey_group: root
|
|
sshd_hostkey_mode: "0600"
|
|
|
|
### These variables are used by role internals and should not be used.
|
|
__sshd_defaults: {}
|
|
__sshd_os_supported: no
|
|
__sshd_sysconfig_supports_crypto_policy: false
|
|
__sshd_sysconfig_supports_use_strong_rng: false
|