public-health-ch/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml

# true if IPv6 is needed
network_ipv6_enable: false          # sshd + ssh

# true if sshd should be started and enabled
ssh_server_enabled: true            # sshd

# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
ssh_use_dns: false                  # sshd

# true or value if compression is needed
ssh_client_compression: false       # ssh
ssh_compression: false              # sshd

# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
ssh_client_hardening: true          # ssh
ssh_server_hardening: true          # sshd

# If true, password login is allowed
ssh_client_password_login: false    # ssh
ssh_server_password_login: false    # sshd

# ports on which ssh-server should listen
ssh_server_ports: ['22']            # sshd

# port to which ssh-client should connect
ssh_client_port: '22'               # ssh

# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
ssh_listen_to: ['0.0.0.0']          # sshd

# Host keys to look for when starting sshd.
ssh_host_key_files: []              # sshd

# Specifies the host key algorithms that the server offers
ssh_host_key_algorithms: []         # sshd

# specifies the time allowed for successful authentication to the SSH server
ssh_login_grace_time: 30s

# Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2

# Specifies the maximum number of open sessions permitted from a given connection
ssh_max_sessions: 10

ssh_client_alive_interval: 300      # sshd
ssh_client_alive_count: 3           # sshd

# Allow SSH Tunnels
ssh_permit_tunnel: false

# Hosts with custom options.        # ssh
# Example:
# ssh_remote_hosts:
#   - names: ['example.com', 'example2.com']
#     options: ['Port 2222', 'ForwardAgent yes']
#   - names: ['example3.com']
#     options: ['StrictHostKeyChecking no']
ssh_remote_hosts: []

# Set this to "without-password" or "yes" to allow root to login
ssh_permit_root_login: 'no'         # sshd

# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: 'no'      # sshd

# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
# Set to 'clientspecified' to allow the client to specify which address to bind to.
ssh_gateway_ports: false            # sshd

# false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
ssh_allow_agent_forwarding: false   # sshd

# false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
ssh_x11_forwarding: false   # sshd

# true if SSH has PAM support
ssh_pam_support: true

# false to disable pam authentication.
ssh_use_pam: true                   # sshd

# specify AuthenticationMethods
sshd_authenticationmethods: 'publickey'

# true if SSH support GSSAPI
ssh_gssapi_support: false

# true if SSH support Kerberos
ssh_kerberos_support: true

# if specified, login is disallowed for user names that match one of the patterns.
ssh_deny_users: ''                  # sshd

# if specified, login is allowed only for user names that match one of the patterns.
ssh_allow_users: ''                 # sshd

# if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
ssh_deny_groups: ''                 # sshd

# if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
ssh_allow_groups: ''                # sshd

# change default file that contains the public keys that can be used for user authentication.
ssh_authorized_keys_file: ''        # sshd

# specifies the file containing trusted certificate authorities public keys used to sign user certificates.
ssh_trusted_user_ca_keys_file: ''   # sshd

# set the trusted certificate authorities public keys used to sign user certificates.
# Example:
# ssh_trusted_user_ca_keys:
#   - 'ssh-rsa ... comment1'
#   - 'ssh-rsa ... comment2'
ssh_trusted_user_ca_keys: []        # sshd

# specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
# Example:
# ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
#
# %h is replaced by the home directory of the user being authenticated, and %u is
# replaced by the username of that user. After expansion, the path is taken to be
# an absolute path or one relative to the user's home directory.
#
ssh_authorized_principals_file: ''  # sshd

# list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
# Example:
# ssh_authorized_principals:
#   - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
#   - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }
ssh_authorized_principals: []       # sshd

# false to disable printing of the MOTD
ssh_print_motd: false               # sshd
ssh_print_pam_motd: false           # sshd

# false to disable display of last login information
ssh_print_last_log: false           # sshd

# false to disable serving ssh warning banner before authentication is allowed
ssh_banner: false                   # sshd

# path to file with ssh warning banner 
ssh_banner_path: '/etc/ssh/banner.txt'

# false to disable distribution version leakage during initial protocol handshake
ssh_print_debian_banner: false      # sshd (Debian OS family only)

# true to enable sftp configuration
sftp_enabled: false

# false to disable sftp chroot
sftp_chroot: true

# sftp default umask
sftp_umask: '0027'

# change default sftp chroot location
sftp_chroot_dir: /home/%u

# enable experimental client roaming
ssh_client_roaming: false

# list of hashes (containing user and rules) to generate Match User blocks for
ssh_server_match_user: false        # sshd

# list of hashes (containing group and rules) to generate Match Group blocks for
ssh_server_match_group: false       # sshd

# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for
ssh_server_match_address: false     # sshd

# list of hashes (containing port and rules) to generate Match LocalPort blocks for
ssh_server_match_local_port: false  # sshd

ssh_server_permit_environment_vars: 'no'
ssh_server_accept_env_vars: ''

# maximum number of concurrent unauthenticated connections to the SSH daemon
ssh_max_startups: '10:30:100'       # sshd

ssh_ps53: 'yes'
ssh_ps59: 'sandbox'

ssh_macs: []
ssh_ciphers: []
ssh_kex: []

ssh_macs_53_default:
  - hmac-ripemd160
  - hmac-sha1

ssh_macs_53_el_6_5_default:
  - hmac-sha2-512
  - hmac-sha2-256

ssh_macs_59_default:
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

ssh_macs_66_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

ssh_macs_76_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

ssh_ciphers_53_default:
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_ciphers_66_default:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_kex_59_default:
  - diffie-hellman-group-exchange-sha256

ssh_kex_66_default:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256
  
ssh_kex_80_default:
  - sntrup4591761x25519-sha512@tinyssh.org
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

# directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies'

sshd_moduli_file: '/etc/ssh/moduli'
sshd_moduli_minimum: 2048

# disable ChallengeResponseAuthentication
ssh_challengeresponseauthentication: false

# a list of public keys that are never accepted by the ssh server
ssh_server_revoked_keys: []

# Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism.
ssh_hardening_enabled: true

# Custom options for SSH client configuration file
ssh_custom_options: []

# Custom options for SSH daemon configuration file
sshd_custom_options: []

# Logging
sshd_syslog_facility: 'AUTH'
sshd_log_level: 'VERBOSE'

sshd_strict_modes: yes

# disable CRYPTO_POLICY to take settings from sshd configuration
# see: https://access.redhat.com/solutions/4410591
sshd_disable_crypto_policy: true
Ansible deployment 2017-04-24 12:22:51 +00:00			`# true if IPv6 is needed`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`network_ipv6_enable: false # sshd + ssh`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# true if sshd should be started and enabled`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_server_enabled: true # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_use_dns: false # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# true or value if compression is needed`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_client_compression: false # ssh`
			`ssh_compression: false # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.`
			`ssh_client_hardening: true # ssh`
			`ssh_server_hardening: true # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# If true, password login is allowed`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_client_password_login: false # ssh`
			`ssh_server_password_login: false # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# ports on which ssh-server should listen`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_server_ports: ['22'] # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# port to which ssh-client should connect`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_client_port: '22' # ssh`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_listen_to: ['0.0.0.0'] # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# Host keys to look for when starting sshd.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_host_key_files: [] # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`# Specifies the host key algorithms that the server offers`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_host_key_algorithms: [] # sshd`

			`# specifies the time allowed for successful authentication to the SSH server`
			`ssh_login_grace_time: 30s`
Updated Ansible setup 2020-05-15 20:41:39 +00:00
Ansible deployment 2017-04-24 12:22:51 +00:00			`# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.`
			`ssh_max_auth_retries: 2`

Ansible roles updated 2021-02-18 15:40:18 +00:00			`# Specifies the maximum number of open sessions permitted from a given connection`
			`ssh_max_sessions: 10`

			`ssh_client_alive_interval: 300 # sshd`
			`ssh_client_alive_count: 3 # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# Allow SSH Tunnels`
			`ssh_permit_tunnel: false`

Ansible roles updated 2021-02-18 15:40:18 +00:00			`# Hosts with custom options. # ssh`
Ansible deployment 2017-04-24 12:22:51 +00:00			`# Example:`
			`# ssh_remote_hosts:`
			`# - names: ['example.com', 'example2.com']`
			`# options: ['Port 2222', 'ForwardAgent yes']`
			`# - names: ['example3.com']`
			`# options: ['StrictHostKeyChecking no']`
			`ssh_remote_hosts: []`

Updated Ansible setup 2020-05-15 20:41:39 +00:00			`# Set this to "without-password" or "yes" to allow root to login`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_permit_root_login: 'no' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_allow_tcp_forwarding: 'no' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.`
			`# Set to 'clientspecified' to allow the client to specify which address to bind to.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_gateway_ports: false # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
Ansible deployment 2017-04-24 12:22:51 +00:00			`# false to disable Agent Forwarding. Set to true to allow Agent Forwarding.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_allow_agent_forwarding: false # sshd`

			`# false to disable X11 Forwarding. Set to true to allow X11 Forwarding.`
			`ssh_x11_forwarding: false # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# true if SSH has PAM support`
			`ssh_pam_support: true`

Ansible deployment 2017-04-24 12:22:51 +00:00			`# false to disable pam authentication.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_use_pam: true # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`# specify AuthenticationMethods`
			`sshd_authenticationmethods: 'publickey'`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# true if SSH support GSSAPI`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`ssh_gssapi_support: false`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# true if SSH support Kerberos`
			`ssh_kerberos_support: true`

Ansible deployment 2017-04-24 12:22:51 +00:00			`# if specified, login is disallowed for user names that match one of the patterns.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_deny_users: '' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# if specified, login is allowed only for user names that match one of the patterns.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_allow_users: '' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_deny_groups: '' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_allow_groups: '' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# change default file that contains the public keys that can be used for user authentication.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_authorized_keys_file: '' # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# specifies the file containing trusted certificate authorities public keys used to sign user certificates.`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_trusted_user_ca_keys_file: '' # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# set the trusted certificate authorities public keys used to sign user certificates.`
			`# Example:`
			`# ssh_trusted_user_ca_keys:`
			`# - 'ssh-rsa ... comment1'`
			`# - 'ssh-rsa ... comment2'`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_trusted_user_ca_keys: [] # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.`
			`# Example:`
			`# ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'`
			`#`
			`# %h is replaced by the home directory of the user being authenticated, and %u is`
			`# replaced by the username of that user. After expansion, the path is taken to be`
			`# an absolute path or one relative to the user's home directory.`
			`#`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_authorized_principals_file: '' # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.`
			`# Example:`
			`# ssh_authorized_principals:`
			`# - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }`
			`# - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_authorized_principals: [] # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
Ansible deployment 2017-04-24 12:22:51 +00:00			`# false to disable printing of the MOTD`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_print_motd: false # sshd`
			`ssh_print_pam_motd: false # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# false to disable display of last login information`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_print_last_log: false # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
Ansible roles updated 2021-02-18 15:40:18 +00:00			`# false to disable serving ssh warning banner before authentication is allowed`
			`ssh_banner: false # sshd`

			`# path to file with ssh warning banner`
			`ssh_banner_path: '/etc/ssh/banner.txt'`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# false to disable distribution version leakage during initial protocol handshake`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_print_debian_banner: false # sshd (Debian OS family only)`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# true to enable sftp configuration`
			`sftp_enabled: false`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# false to disable sftp chroot`
			`sftp_chroot: true`

Updated Ansible setup 2020-05-15 20:41:39 +00:00			`# sftp default umask`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`sftp_umask: '0027'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00
Ansible deployment 2017-04-24 12:22:51 +00:00			`# change default sftp chroot location`
			`sftp_chroot_dir: /home/%u`

			`# enable experimental client roaming`
			`ssh_client_roaming: false`

Ansible roles updated 2021-02-18 15:40:18 +00:00			`# list of hashes (containing user and rules) to generate Match User blocks for`
			`ssh_server_match_user: false # sshd`

			`# list of hashes (containing group and rules) to generate Match Group blocks for`
			`ssh_server_match_group: false # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
Ansible roles updated 2021-02-18 15:40:18 +00:00			`# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for`
			`ssh_server_match_address: false # sshd`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
Ansible roles updated 2021-02-18 15:40:18 +00:00			`# list of hashes (containing port and rules) to generate Match LocalPort blocks for`
			`ssh_server_match_local_port: false # sshd`
Updated Ansible setup 2020-05-15 20:41:39 +00:00
			`ssh_server_permit_environment_vars: 'no'`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_server_accept_env_vars: ''`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# maximum number of concurrent unauthenticated connections to the SSH daemon`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`ssh_max_startups: '10:30:100' # sshd`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`ssh_ps53: 'yes'`
			`ssh_ps59: 'sandbox'`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`ssh_macs: []`
			`ssh_ciphers: []`
			`ssh_kex: []`

Ansible deployment 2017-04-24 12:22:51 +00:00			`ssh_macs_53_default:`
			`- hmac-ripemd160`
			`- hmac-sha1`

Updated Ansible setup 2020-05-15 20:41:39 +00:00			`ssh_macs_53_el_6_5_default:`
			`- hmac-sha2-512`
			`- hmac-sha2-256`

Ansible deployment 2017-04-24 12:22:51 +00:00			`ssh_macs_59_default:`
			`- hmac-sha2-512`
			`- hmac-sha2-256`
			`- hmac-ripemd160`

			`ssh_macs_66_default:`
			`- hmac-sha2-512-etm@openssh.com`
			`- hmac-sha2-256-etm@openssh.com`
			`- umac-128-etm@openssh.com`
			`- hmac-sha2-512`
			`- hmac-sha2-256`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`ssh_macs_76_default:`
			`- hmac-sha2-512-etm@openssh.com`
			`- hmac-sha2-256-etm@openssh.com`
			`- umac-128-etm@openssh.com`
			`- hmac-sha2-512`
			`- hmac-sha2-256`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`ssh_ciphers_53_default:`
			`- aes256-ctr`
			`- aes192-ctr`
			`- aes128-ctr`

			`ssh_ciphers_66_default:`
			`- chacha20-poly1305@openssh.com`
			`- aes256-gcm@openssh.com`
			`- aes128-gcm@openssh.com`
			`- aes256-ctr`
			`- aes192-ctr`
			`- aes128-ctr`

			`ssh_kex_59_default:`
			`- diffie-hellman-group-exchange-sha256`

			`ssh_kex_66_default:`
			`- curve25519-sha256@libssh.org`
			`- diffie-hellman-group-exchange-sha256`
Updated Ansible setup 2020-05-15 20:41:39 +00:00
			`ssh_kex_80_default:`
			`- sntrup4591761x25519-sha512@tinyssh.org`
			`- curve25519-sha256@libssh.org`
			`- diffie-hellman-group-exchange-sha256`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`# directory where to store ssh_password policy`
			`ssh_custom_selinux_dir: '/etc/selinux/local-policies'`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`sshd_moduli_file: '/etc/ssh/moduli'`
Ansible deployment 2017-04-24 12:22:51 +00:00			`sshd_moduli_minimum: 2048`

			`# disable ChallengeResponseAuthentication`
			`ssh_challengeresponseauthentication: false`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`# a list of public keys that are never accepted by the ssh server`
			`ssh_server_revoked_keys: []`

			`# Set to false to turn the role into a no-op. Useful when using`
			`# the Ansible role dependency mechanism.`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`ssh_hardening_enabled: true`

			`# Custom options for SSH client configuration file`
			`ssh_custom_options: []`

			`# Custom options for SSH daemon configuration file`
			`sshd_custom_options: []`

			`# Logging`
			`sshd_syslog_facility: 'AUTH'`
			`sshd_log_level: 'VERBOSE'`

			`sshd_strict_modes: yes`
Ansible roles updated 2021-02-18 15:40:18 +00:00
			`# disable CRYPTO_POLICY to take settings from sshd configuration`
			`# see: https://access.redhat.com/solutions/4410591`
			`sshd_disable_crypto_policy: true`