update...
This commit is contained in:
parent
01f489e90d
commit
4d0d3b0d69
@ -991,22 +991,37 @@ sshd_host_keys:
|
|||||||
- /etc/ssh/ssh_host_ecdsa_key
|
- /etc/ssh/ssh_host_ecdsa_key
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
sshd_max_startups: !!str "10:30:100"
|
||||||
|
|
||||||
|
sshd_max_auth_tries: 3
|
||||||
|
|
||||||
|
sshd_max_sessions: 10
|
||||||
|
|
||||||
# only for debian version <= 9
|
# only for debian version <= 9
|
||||||
#
|
#
|
||||||
sshd_use_privilege_separation: !!str "sandbox"
|
sshd_use_privilege_separation: !!str "sandbox"
|
||||||
|
|
||||||
sshd_permit_root_login: !!str "no"
|
sshd_permit_root_login: !!str "prohibit-password"
|
||||||
|
|
||||||
sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
|
sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
|
||||||
|
|
||||||
sshd_pubkey_authentication: !!str "yes"
|
sshd_pubkey_authentication: !!str "yes"
|
||||||
|
|
||||||
sshd_password_authentication: !!str "no"
|
sshd_password_authentication: !!str "yes"
|
||||||
|
|
||||||
sshd_use_pam: !!str "yes"
|
sshd_use_pam: !!str "yes"
|
||||||
|
|
||||||
|
#sshd_allowed_users:
|
||||||
|
# - chris
|
||||||
|
# - sysadm
|
||||||
|
sshd_allowed_users: {}
|
||||||
|
|
||||||
sshd_print_motd: !!str "no"
|
sshd_print_motd: !!str "no"
|
||||||
|
|
||||||
|
sshd_use_dns: !!str "no"
|
||||||
|
|
||||||
|
sshd_gateway_ports: !!str "no"
|
||||||
|
|
||||||
# sshd_kexalgorithms
|
# sshd_kexalgorithms
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
@ -1016,14 +1031,16 @@ sshd_print_motd: !!str "no"
|
|||||||
# - diffie-hellman-group14-sha1
|
# - diffie-hellman-group14-sha1
|
||||||
#
|
#
|
||||||
#sshd_kexalgorithms: {}
|
#sshd_kexalgorithms: {}
|
||||||
sshd_kexalgorithms:
|
sshd_hostkeyalgorithms:
|
||||||
- curve25519-sha256
|
- ssh-ed25519
|
||||||
- curve25519-sha256@libssh.org
|
- ssh-ed25519-cert-v01@openssh.com
|
||||||
- diffie-hellman-group16-sha512
|
- rsa-sha2-256
|
||||||
- diffie-hellman-group18-sha512
|
- rsa-sha2-512
|
||||||
- diffie-hellman-group-exchange-sha256
|
- rsa-sha2-256-cert-v01@openssh.com
|
||||||
|
- rsa-sha2-512-cert-v01@openssh.com
|
||||||
|
|
||||||
# sshd__ciphers
|
|
||||||
|
# sshd_kexalgorithms
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
# sshd_ciphers:
|
# sshd_ciphers:
|
||||||
@ -1045,24 +1062,6 @@ sshd_macs:
|
|||||||
- hmac-sha2-512-etm@openssh.com
|
- hmac-sha2-512-etm@openssh.com
|
||||||
- umac-128-etm@openssh.com
|
- umac-128-etm@openssh.com
|
||||||
|
|
||||||
#sshd_hostkeyalgorithms: {}
|
|
||||||
sshd_hostkeyalgorithms:
|
|
||||||
- ssh-ed25519
|
|
||||||
- ssh-ed25519-cert-v01@openssh.com
|
|
||||||
- ecdsa-sha2-nistp256
|
|
||||||
- ecdsa-sha2-nistp384
|
|
||||||
- ecdsa-sha2-nistp521
|
|
||||||
- rsa-sha2-256
|
|
||||||
- rsa-sha2-512
|
|
||||||
- rsa-sha2-256-cert-v01@openssh.com
|
|
||||||
- rsa-sha2-512-cert-v01@openssh.com
|
|
||||||
|
|
||||||
sshd_use_dns: !!str "no"
|
|
||||||
|
|
||||||
sshd_allowed_users: {}
|
|
||||||
|
|
||||||
sshd_gateway_ports: !!str "no"
|
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# vars used by roles/common/tasks/sudoers.yml
|
# vars used by roles/common/tasks/sudoers.yml
|
||||||
|
|||||||
@ -10,31 +10,44 @@
|
|||||||
fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
|
fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
|
||||||
when:
|
when:
|
||||||
- sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
|
- sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
|
||||||
|
tags:
|
||||||
|
- sshd-config
|
||||||
|
|
||||||
- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
|
- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
|
||||||
set_fact:
|
set_fact:
|
||||||
fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
|
fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
|
||||||
when:
|
when:
|
||||||
- sshd_ciphers is defined and sshd_ciphers | length > 0
|
- sshd_ciphers is defined and sshd_ciphers | length > 0
|
||||||
|
tags:
|
||||||
|
- sshd-config
|
||||||
|
|
||||||
- name: (sshd.yml) Set fact_sshd_macs
|
- name: (sshd.yml) Set fact_sshd_macs
|
||||||
set_fact:
|
set_fact:
|
||||||
fact_sshd_macs: "{{ sshd_macs | join (',') }}"
|
fact_sshd_macs: "{{ sshd_macs | join (',') }}"
|
||||||
when:
|
when:
|
||||||
- sshd_macs is defined and sshd_macs | length > 0
|
- sshd_macs is defined and sshd_macs | length > 0
|
||||||
|
tags:
|
||||||
|
- sshd-config
|
||||||
|
|
||||||
- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
|
- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
|
||||||
set_fact:
|
set_fact:
|
||||||
fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
|
fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
|
||||||
when:
|
when:
|
||||||
- sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
|
- sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
|
||||||
|
tags:
|
||||||
|
- sshd-config
|
||||||
|
|
||||||
- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
|
- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
|
||||||
set_fact:
|
set_fact:
|
||||||
fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
|
fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
|
||||||
when:
|
when:
|
||||||
- sshd_allowed_users is defined and sshd_allowed_users | length > 0
|
- sshd_allowed_users is defined and sshd_allowed_users | length > 0
|
||||||
|
tags:
|
||||||
|
- sshd-config
|
||||||
|
|
||||||
|
# ---
|
||||||
|
# Create new sshd_config
|
||||||
|
# ---
|
||||||
|
|
||||||
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
|
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
|
||||||
stat:
|
stat:
|
||||||
@ -49,6 +62,23 @@
|
|||||||
tags:
|
tags:
|
||||||
- sshd-config
|
- sshd-config
|
||||||
|
|
||||||
|
|
||||||
|
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
|
||||||
|
template:
|
||||||
|
src: etc/ssh/sshd_config.j2
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
validate: 'sshd -f %s -T'
|
||||||
|
#backup: yes
|
||||||
|
notify: "Restart ssh"
|
||||||
|
when:
|
||||||
|
- ansible_facts['distribution'] == "Ubuntu"
|
||||||
|
tags:
|
||||||
|
- sshd-config
|
||||||
|
|
||||||
|
|
||||||
- name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2
|
- name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2
|
||||||
template:
|
template:
|
||||||
src: etc/ssh/sshd_config.j2
|
src: etc/ssh/sshd_config.j2
|
||||||
@ -59,7 +89,7 @@
|
|||||||
validate: 'sshd -f %s -T'
|
validate: 'sshd -f %s -T'
|
||||||
notify: "Restart ssh"
|
notify: "Restart ssh"
|
||||||
when:
|
when:
|
||||||
- create_sftp_group is defined and not create_sftp_group
|
- create_sftp_group is undefined or create_sftp_group is defined and not create_sftp_group
|
||||||
- ansible_facts['distribution'] == "Debian"
|
- ansible_facts['distribution'] == "Debian"
|
||||||
- ansible_facts['distribution_major_version'] <= "10"
|
- ansible_facts['distribution_major_version'] <= "10"
|
||||||
tags:
|
tags:
|
||||||
@ -81,6 +111,7 @@
|
|||||||
tags:
|
tags:
|
||||||
- sshd-config
|
- sshd-config
|
||||||
|
|
||||||
|
|
||||||
- name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'..
|
- name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'..
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
@ -118,4 +149,3 @@
|
|||||||
- ansible_facts['distribution_major_version'] > "10"
|
- ansible_facts['distribution_major_version'] > "10"
|
||||||
tags:
|
tags:
|
||||||
- sshd-config
|
- sshd-config
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user