273 lines
8.6 KiB
YAML
273 lines
8.6 KiB
YAML
# true if IPv6 is needed
|
|
network_ipv6_enable: false # sshd + ssh
|
|
|
|
# true if sshd should be started and enabled
|
|
ssh_server_enabled: true # sshd
|
|
|
|
# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
|
|
ssh_use_dns: false # sshd
|
|
|
|
# true or value if compression is needed
|
|
ssh_client_compression: false # ssh
|
|
ssh_compression: false # sshd
|
|
|
|
# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
|
|
ssh_client_hardening: true # ssh
|
|
ssh_server_hardening: true # sshd
|
|
|
|
# If true, password login is allowed
|
|
ssh_client_password_login: false # ssh
|
|
ssh_server_password_login: false # sshd
|
|
|
|
# ports on which ssh-server should listen
|
|
ssh_server_ports: ['22'] # sshd
|
|
|
|
# port to which ssh-client should connect
|
|
ssh_client_port: '22' # ssh
|
|
|
|
# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
|
|
ssh_listen_to: ['0.0.0.0'] # sshd
|
|
|
|
# Host keys to look for when starting sshd.
|
|
ssh_host_key_files: [] # sshd
|
|
|
|
# Specifies the host key algorithms that the server offers
|
|
ssh_host_key_algorithms: [] # sshd
|
|
|
|
# specifies the time allowed for successful authentication to the SSH server
|
|
ssh_login_grace_time: 30s
|
|
|
|
# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
|
|
ssh_max_auth_retries: 2
|
|
|
|
# Specifies the maximum number of open sessions permitted from a given connection
|
|
ssh_max_sessions: 10
|
|
|
|
ssh_client_alive_interval: 300 # sshd
|
|
ssh_client_alive_count: 3 # sshd
|
|
|
|
# Allow SSH Tunnels
|
|
ssh_permit_tunnel: false
|
|
|
|
# Hosts with custom options. # ssh
|
|
# Example:
|
|
# ssh_remote_hosts:
|
|
# - names: ['example.com', 'example2.com']
|
|
# options: ['Port 2222', 'ForwardAgent yes']
|
|
# - names: ['example3.com']
|
|
# options: ['StrictHostKeyChecking no']
|
|
ssh_remote_hosts: []
|
|
|
|
# Set this to "without-password" or "yes" to allow root to login
|
|
ssh_permit_root_login: 'no' # sshd
|
|
|
|
# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
|
|
ssh_allow_tcp_forwarding: 'no' # sshd
|
|
|
|
# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
|
|
# Set to 'clientspecified' to allow the client to specify which address to bind to.
|
|
ssh_gateway_ports: false # sshd
|
|
|
|
# false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
|
|
ssh_allow_agent_forwarding: false # sshd
|
|
|
|
# false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
|
|
ssh_x11_forwarding: false # sshd
|
|
|
|
# true if SSH has PAM support
|
|
ssh_pam_support: true
|
|
|
|
# false to disable pam authentication.
|
|
ssh_use_pam: true # sshd
|
|
|
|
# specify AuthenticationMethods
|
|
sshd_authenticationmethods: 'publickey'
|
|
|
|
# true if SSH support GSSAPI
|
|
ssh_gssapi_support: false
|
|
|
|
# true if SSH support Kerberos
|
|
ssh_kerberos_support: true
|
|
|
|
# if specified, login is disallowed for user names that match one of the patterns.
|
|
ssh_deny_users: '' # sshd
|
|
|
|
# if specified, login is allowed only for user names that match one of the patterns.
|
|
ssh_allow_users: '' # sshd
|
|
|
|
# if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
|
|
ssh_deny_groups: '' # sshd
|
|
|
|
# if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
|
|
ssh_allow_groups: '' # sshd
|
|
|
|
# change default file that contains the public keys that can be used for user authentication.
|
|
ssh_authorized_keys_file: '' # sshd
|
|
|
|
# specifies the file containing trusted certificate authorities public keys used to sign user certificates.
|
|
ssh_trusted_user_ca_keys_file: '' # sshd
|
|
|
|
# set the trusted certificate authorities public keys used to sign user certificates.
|
|
# Example:
|
|
# ssh_trusted_user_ca_keys:
|
|
# - 'ssh-rsa ... comment1'
|
|
# - 'ssh-rsa ... comment2'
|
|
ssh_trusted_user_ca_keys: [] # sshd
|
|
|
|
# specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
|
|
# Example:
|
|
# ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
|
|
#
|
|
# %h is replaced by the home directory of the user being authenticated, and %u is
|
|
# replaced by the username of that user. After expansion, the path is taken to be
|
|
# an absolute path or one relative to the user's home directory.
|
|
#
|
|
ssh_authorized_principals_file: '' # sshd
|
|
|
|
# list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
|
|
# Example:
|
|
# ssh_authorized_principals:
|
|
# - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
|
|
# - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }
|
|
ssh_authorized_principals: [] # sshd
|
|
|
|
# false to disable printing of the MOTD
|
|
ssh_print_motd: false # sshd
|
|
ssh_print_pam_motd: false # sshd
|
|
|
|
# false to disable display of last login information
|
|
ssh_print_last_log: false # sshd
|
|
|
|
# false to disable serving ssh warning banner before authentication is allowed
|
|
ssh_banner: false # sshd
|
|
|
|
# path to file with ssh warning banner
|
|
ssh_banner_path: '/etc/ssh/banner.txt'
|
|
|
|
# false to disable distribution version leakage during initial protocol handshake
|
|
ssh_print_debian_banner: false # sshd (Debian OS family only)
|
|
|
|
# true to enable sftp configuration
|
|
sftp_enabled: false
|
|
|
|
# false to disable sftp chroot
|
|
sftp_chroot: true
|
|
|
|
# sftp default umask
|
|
sftp_umask: '0027'
|
|
|
|
# change default sftp chroot location
|
|
sftp_chroot_dir: /home/%u
|
|
|
|
# enable experimental client roaming
|
|
ssh_client_roaming: false
|
|
|
|
# list of hashes (containing user and rules) to generate Match User blocks for
|
|
ssh_server_match_user: false # sshd
|
|
|
|
# list of hashes (containing group and rules) to generate Match Group blocks for
|
|
ssh_server_match_group: false # sshd
|
|
|
|
# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for
|
|
ssh_server_match_address: false # sshd
|
|
|
|
# list of hashes (containing port and rules) to generate Match LocalPort blocks for
|
|
ssh_server_match_local_port: false # sshd
|
|
|
|
ssh_server_permit_environment_vars: 'no'
|
|
ssh_server_accept_env_vars: ''
|
|
|
|
# maximum number of concurrent unauthenticated connections to the SSH daemon
|
|
ssh_max_startups: '10:30:100' # sshd
|
|
|
|
ssh_ps53: 'yes'
|
|
ssh_ps59: 'sandbox'
|
|
|
|
ssh_macs: []
|
|
ssh_ciphers: []
|
|
ssh_kex: []
|
|
|
|
ssh_macs_53_default:
|
|
- hmac-ripemd160
|
|
- hmac-sha1
|
|
|
|
ssh_macs_53_el_6_5_default:
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
|
|
ssh_macs_59_default:
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
- hmac-ripemd160
|
|
|
|
ssh_macs_66_default:
|
|
- hmac-sha2-512-etm@openssh.com
|
|
- hmac-sha2-256-etm@openssh.com
|
|
- umac-128-etm@openssh.com
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
|
|
ssh_macs_76_default:
|
|
- hmac-sha2-512-etm@openssh.com
|
|
- hmac-sha2-256-etm@openssh.com
|
|
- umac-128-etm@openssh.com
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
|
|
ssh_ciphers_53_default:
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
|
|
ssh_ciphers_66_default:
|
|
- chacha20-poly1305@openssh.com
|
|
- aes256-gcm@openssh.com
|
|
- aes128-gcm@openssh.com
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
|
|
ssh_kex_59_default:
|
|
- diffie-hellman-group-exchange-sha256
|
|
|
|
ssh_kex_66_default:
|
|
- curve25519-sha256@libssh.org
|
|
- diffie-hellman-group-exchange-sha256
|
|
|
|
ssh_kex_80_default:
|
|
- sntrup4591761x25519-sha512@tinyssh.org
|
|
- curve25519-sha256@libssh.org
|
|
- diffie-hellman-group-exchange-sha256
|
|
|
|
# directory where to store ssh_password policy
|
|
ssh_custom_selinux_dir: '/etc/selinux/local-policies'
|
|
|
|
sshd_moduli_file: '/etc/ssh/moduli'
|
|
sshd_moduli_minimum: 2048
|
|
|
|
# disable ChallengeResponseAuthentication
|
|
ssh_challengeresponseauthentication: false
|
|
|
|
# a list of public keys that are never accepted by the ssh server
|
|
ssh_server_revoked_keys: []
|
|
|
|
# Set to false to turn the role into a no-op. Useful when using
|
|
# the Ansible role dependency mechanism.
|
|
ssh_hardening_enabled: true
|
|
|
|
# Custom options for SSH client configuration file
|
|
ssh_custom_options: []
|
|
|
|
# Custom options for SSH daemon configuration file
|
|
sshd_custom_options: []
|
|
|
|
# Logging
|
|
sshd_syslog_facility: 'AUTH'
|
|
sshd_log_level: 'VERBOSE'
|
|
|
|
sshd_strict_modes: yes
|
|
|
|
# disable CRYPTO_POLICY to take settings from sshd configuration
|
|
# see: https://access.redhat.com/solutions/4410591
|
|
sshd_disable_crypto_policy: true
|