public-health-ch/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml

# true if IPv6 is needed
network_ipv6_enable: false              # sshd + ssh

# true if sshd should be started and enabled
ssh_server_enabled: true               # sshd

# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
ssh_use_dns: false                      # sshd

# true or value if compression is needed
ssh_compression: false                  # sshd

# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
ssh_client_hardening: true          # ssh
ssh_server_hardening: true          # sshd

# If true, password login is allowed
ssh_client_password_login: false          # ssh
ssh_server_password_login: false          # sshd

# ports on which ssh-server should listen
ssh_server_ports: ['22']      # sshd

# port to which ssh-client should connect
ssh_client_port: '22'         # ssh

# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
ssh_listen_to: ['0.0.0.0']    # sshd

# Host keys to look for when starting sshd.
ssh_host_key_files: []  # sshd

# Specifies the host key algorithms that the server offers
ssh_host_key_algorithms: []  # sshd

# Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2

ssh_client_alive_interval: 300          # sshd
ssh_client_alive_count: 3               # sshd

# Allow SSH Tunnels
ssh_permit_tunnel: false

# Hosts with custom options.            # ssh
# Example:
# ssh_remote_hosts:
#   - names: ['example.com', 'example2.com']
#     options: ['Port 2222', 'ForwardAgent yes']
#   - names: ['example3.com']
#     options: ['StrictHostKeyChecking no']
ssh_remote_hosts: []

# Set this to "without-password" or "yes" to allow root to login
ssh_permit_root_login: 'no'          # sshd

# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: 'no'        # sshd

# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
# Set to 'clientspecified' to allow the client to specify which address to bind to.
ssh_gateway_ports: false                # sshd

# false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
ssh_allow_agent_forwarding: false       # sshd

# true if SSH has PAM support
ssh_pam_support: true

# false to disable pam authentication.
ssh_use_pam: true # sshd

# specify AuthenticationMethods
sshd_authenticationmethods: 'publickey'

# true if SSH support GSSAPI
ssh_gssapi_support: false

# true if SSH support Kerberos
ssh_kerberos_support: true

# if specified, login is disallowed for user names that match one of the patterns.
ssh_deny_users: ''      # sshd

# if specified, login is allowed only for user names that match one of the patterns.
ssh_allow_users: ''      # sshd

# if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
ssh_deny_groups: ''      # sshd

# if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
ssh_allow_groups: ''      # sshd

# change default file that contains the public keys that can be used for user authentication.
ssh_authorized_keys_file: ''      # sshd

# specifies the file containing trusted certificate authorities public keys used to sign user certificates.
ssh_trusted_user_ca_keys_file: ''      # sshd

# set the trusted certificate authorities public keys used to sign user certificates.
# Example:
# ssh_trusted_user_ca_keys:
#   - 'ssh-rsa ... comment1'
#   - 'ssh-rsa ... comment2'
ssh_trusted_user_ca_keys: []      # sshd

# specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
# Example:
# ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
#
# %h is replaced by the home directory of the user being authenticated, and %u is
# replaced by the username of that user. After expansion, the path is taken to be
# an absolute path or one relative to the user's home directory.
#
ssh_authorized_principals_file: ''      # sshd

# list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
# Example:
# ssh_authorized_principals:
#   - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
#   - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }
ssh_authorized_principals: []      # sshd

# false to disable printing of the MOTD
ssh_print_motd: false      # sshd

# false to disable display of last login information
ssh_print_last_log: false    # sshd

# false to disable serving /etc/ssh/banner.txt before authentication is allowed
ssh_banner: false # sshd

# false to disable distribution version leakage during initial protocol handshake
ssh_print_debian_banner: false # sshd (Debian OS family only)

# true to enable sftp configuration
sftp_enabled: false

# false to disable sftp chroot
sftp_chroot: true

# sftp default umask
sftp_umask: 0027

# change default sftp chroot location
sftp_chroot_dir: /home/%u

# enable experimental client roaming
ssh_client_roaming: false

# list of hashes (containing user and rules) to generate Match User blocks for.
ssh_server_match_user: false            # sshd

# list of hashes (containing group and rules) to generate Match Group blocks for.
ssh_server_match_group: false           # sshd

# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
ssh_server_match_address: false           # sshd

ssh_server_permit_environment_vars: 'no'
ssh_server_accept_env_vars : ''

# maximum number of concurrent unauthenticated connections to the SSH daemon
ssh_max_startups: '10:30:100'           # sshd

ssh_ps53: 'yes'
ssh_ps59: 'sandbox'

ssh_macs: []
ssh_ciphers: []
ssh_kex: []

ssh_macs_53_default:
  - hmac-ripemd160
  - hmac-sha1

ssh_macs_53_el_6_5_default:
  - hmac-sha2-512
  - hmac-sha2-256

ssh_macs_59_default:
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

ssh_macs_66_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

ssh_macs_76_default:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

ssh_ciphers_53_default:
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_ciphers_66_default:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_kex_59_default:
  - diffie-hellman-group-exchange-sha256

ssh_kex_66_default:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256
  
ssh_kex_80_default:
  - sntrup4591761x25519-sha512@tinyssh.org
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

# directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies'

sshd_moduli_file: '/etc/ssh/moduli'
sshd_moduli_minimum: 2048

# disable ChallengeResponseAuthentication
ssh_challengeresponseauthentication: false

# a list of public keys that are never accepted by the ssh server
ssh_server_revoked_keys: []

# Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism.
ssh_hardening_enabled: true

# Custom options for SSH client configuration file
ssh_custom_options: []

# Custom options for SSH daemon configuration file
sshd_custom_options: []

# Logging
sshd_syslog_facility: 'AUTH'
sshd_log_level: 'VERBOSE'

sshd_strict_modes: yes