No description
Find a file
Martin Stefany ee74b9611f Remove Fedora_22.yml
Remove Fedora_22.yml since it matches 'default' Fedora.yml list of HostKeys.
2016-01-09 16:28:51 +01:00
defaults Fix sshd_manage_var_run check 2015-08-12 23:29:51 +03:00
handlers Fix issues raised in #22 2015-06-28 10:18:45 +01:00
meta Add DebianBanner option 2015-07-23 18:30:03 +01:00
tasks Do not manage /var/run/sshd on CentOS7 fixes #27 2015-08-12 18:41:46 +03:00
templates Add DebianBanner option 2015-07-23 18:30:03 +01:00
tests Fix test syntax error 2015-01-12 21:15:25 +00:00
vars Remove Fedora_22.yml 2016-01-09 16:28:51 +01:00
.travis.yml Speed up Travis 2015-01-15 10:06:52 +00:00
CHANGELOG Release 0.2.5 changes 2015-01-23 10:44:54 +00:00
LICENSE Use LGPL license 2014-12-26 10:09:34 +00:00
README.md move to personal galaxy account 2015-08-25 18:41:22 +01:00

Build Status Ansible Galaxy

OpenSSH Server

This role configures the OpenSSH daemon. It:

  • By default configures the SSH daemon with the normal OS defaults.
  • Works across a variety of UN*X like distributions
  • Can be configured by dict or simple variables
  • Supports Match sets
  • Supports all sshd_config options. Templates are programmatically generated. (see meta/make_option_list)
  • Tests the sshd_config before reloading sshd.

WARNING Misconfiguration of this role can lock you out of your server! Please test your configuration and its interaction with your users configuration before using in production!

WARNING Digital Ocean allows root with passwords via SSH on Debian and Ubuntu. This is not the default assigned by this module - it will set PermitRootLogin without-password which will allow access via SSH key but not via simple password. If you need this functionality, be sure to set ssh_PermitRootLogin yes for those hosts.

Requirements

Tested on:

  • Ubuntu precise, trusty
  • Debian wheezy, jessie
  • FreeBSD 10.1
  • EL 6,7 derived distributions
  • Fedora 20, 22

It will likely work on other flavours and more direct support via suitable vars/ files is welcome.

Role variables

Unconfigured, this role will provide a sshd_config that matches the OS default, minus the comments and in a different order.

  • sshd_skip_defaults

If set to True, don't apply default values. This means that you must have a complete set of configuration defaults via either the sshd dict, or sshd_Key variables. Defaults to False.

  • sshd_manage_service

If set to False, the service/daemon won't be touched at all, i.e. will not try to enable on boot or start or reload the service. Defaults to True unless running inside a docker container (it is assumed ansible is used during build phase).

  • sshd_allow_reload

If set to False, a reload of sshd wont happen on change. This can help with troubleshooting. You'll need to manually reload sshd if you want to apply the changed configuration. Defaults to the same value as sshd_manage_service.

  • sshd

A dict containing configuration. e.g.

sshd:
  Compression: delayed
  ListenAddress:
    - 0.0.0.0
  • ssh_...

Simple variables can be used rather than a dict. Simple values override dict values. e.g.:

sshd_Compression: off

In all cases, booleans correctly rendered as yes and no in sshd configuration. Lists can be used for multiline configuration items. e.g.

sshd_ListenAddress:
  - 0.0.0.0
  - '::'

Renders as:

ListenAddress 0.0.0.0
ListenAddress ::
  • sshd_match

A list of dicts for a match section. See the example playbook.

  • sshd_match_1 through sshd_match_9

A list of dicts or just a dict for a Match section.

Dependencies

None

Example Playbook

---
- hosts: all
  vars:
    sshd_skip_defaults: true
    sshd:
      Compression: true
      ListenAddress:
        - "0.0.0.0"
        - "::"
      GSSAPIAuthentication: no
      Match:
        - Condition: "Group user"
          GSSAPIAuthentication: yes
    sshd_UsePrivilegeSeparation: sandbox
    sshd_match:
        - Condition: "Group xusers"
          X11Forwarding: yes
  roles:
    - role: willshersystems.sshd

Results in:

# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
Match Group user
  GSSAPIAuthentication yes
Match Group xusers
  X11Forwarding yes

Template Generation

The sshd_config.j2 template is programatically generated by the scripts in meta. New options should be added to the options_body or options_match.

To regenerate the template, from within the meta/ directory run: ./make_option_list >../templates/sshd_config.j2

License

LGPLv3

Author

Matt Willsher matt@willsher.systems

© 2014,2015 Willsher Systems Ltd.