ansible-sshd/vars/Gentoo.yml
Jakub Jelen f32003f051 Remove set_facts tasks not to polute global namespace
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series

ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00

32 lines
1.2 KiB
YAML

---
sshd_packages:
- net-misc/openssh
sshd_sftp_server: /usr/lib64/misc/sftp-server
__sshd_defaults:
Subsystem: "sftp {{ sshd_sftp_server }}"
# Replace tcp keepalive with unspoofable keepalive
TCPKeepAlive: no
ClientAliveInterval: 300
ClientAliveCountMax: 2
# Secure cipher and algorithm settings
HostKey:
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_rsa_key
HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com"
KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
AuthorizedKeysFile: .ssh/authorized_keys
# Security settings
PasswordAuthentication: no
ChallengeResponseAuthentication: no
PermitRootLogin: no
# Login settings
UsePAM: yes
PrintMotd: no
PrintLastLog: yes
# Disable most forwarding types for more security
AllowAgentForwarding: no
AllowTcpForwarding: no
AllowStreamLocalForwarding: no
__sshd_os_supported: yes