From 762e38586e40671bb2b1643ab06f3e37f79fcef3 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Thu, 25 Jan 2024 11:19:46 +0100
Subject: [PATCH] update..

---
 group_vars/all/main.yml                       |  2 +-
 roles/common/templates/etc/ssh/sshd_config.j2 | 79 +++++++++----------
 2 files changed, 39 insertions(+), 42 deletions(-)

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 332c06f..10b41d6 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -2052,7 +2052,7 @@ sshd_host_keys:
 
 sshd_max_startups: !!str "10:30:100"
 
-sshd_max_auth_tries: 3
+sshd_max_auth_tries: 6
 
 sshd_max_sessions: 10
 
diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2
index 3bc120d..2b85304 100644
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@@ -1,8 +1,4 @@
-# *** ---------------------------------------------- ***
-# ***                                                ***
 # {{ ansible_managed }}
-# ***                                                ***
-# *** ---------------------------------------------- ***
 
 #-----------------------------
 # Daemon
@@ -56,18 +52,19 @@ HostKey {{ item }}
 # to the SSH daemon. See sshd_config(5) for specifiing the three colon 
 # separated values.
 # The default is 10.
+#MaxStartups 10:30:100
 #MaxStartups 3
-MaxStartups 10:30:100
+MaxStartups {{ sshd_max_startups }}
 
 # Specifies the maximum number of authentication attempts permitted per
 # connection.
 # The default is 6.
-MaxAuthTries 3
+MaxAuthTries {{ sshd_max_auth_tries }}
 
 # Specifies the maximum number of open sessions permitted per network
 # connection.
 # The default is 10.
-MaxSessions 10
+MaxSessions {{ sshd_max_sessions }}
 
 
 #-----------------------------
@@ -218,7 +215,7 @@ UsePAM {{ sshd_use_pam }}
 # pended to the default set instead of replacing them.  If the specified value begins with a ‘-’ charac‐
 # ter, then the specified methods (including wildcards) will be removed from the default set instead of
 # replacing them.  The supported algorithms are:
-# 
+#
 #       curve25519-sha256
 #       curve25519-sha256@libssh.org
 #       diffie-hellman-group1-sha1
@@ -231,15 +228,15 @@ UsePAM {{ sshd_use_pam }}
 #       ecdh-sha2-nistp256
 #       ecdh-sha2-nistp384
 #       ecdh-sha2-nistp521
-# 
+#
 # The default is:
-# 
+#
 #       curve25519-sha256,curve25519-sha256@libssh.org,
 #       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 #       diffie-hellman-group-exchange-sha256,
 #       diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 #       diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
-# 
+#
 # The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
 #
 {% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
@@ -254,9 +251,9 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }}
 # with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
 # ing them.  If the specified value begins with a ‘-’ character, then the specified ciphers (including
 # wildcards) will be removed from the default set instead of replacing them.
-# 
+#
 # The supported ciphers are:
-# 
+#
 #       3des-cbc
 #       aes128-cbc
 #       aes192-cbc
@@ -267,15 +264,15 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }}
 #       aes128-gcm@openssh.com
 #       aes256-gcm@openssh.com
 #       chacha20-poly1305@openssh.com
-# 
+#
 # The default is:
-# 
+#
 #       chacha20-poly1305@openssh.com,
 #       aes128-ctr,aes192-ctr,aes256-ctr,
 #       aes128-gcm@openssh.com,aes256-gcm@openssh.com
-# 
+#
 # The list of available ciphers may also be obtained using "ssh -Q cipher".
-# 
+#
 {% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
 Ciphers {{ fact_sshd_ciphers }}
 {% else %}
@@ -289,10 +286,10 @@ Ciphers {{ fact_sshd_ciphers }}
 # with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
 # placing them.  If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
 # cluding wildcards) will be removed from the default set instead of replacing them.
-# 
+#
 # The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac).  These are
 # considered safer and their use recommended.  The supported MACs are:
-# 
+#
 #       hmac-md5
 #       hmac-md5-96
 #       hmac-sha1
@@ -309,17 +306,17 @@ Ciphers {{ fact_sshd_ciphers }}
 #       hmac-sha2-512-etm@openssh.com
 #       umac-64-etm@openssh.com
 #       umac-128-etm@openssh.com
-# 
+#
 # The default is:
-# 
+#
 #       umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 #       hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
 #       hmac-sha1-etm@openssh.com,
 #       umac-64@openssh.com,umac-128@openssh.com,
 #       hmac-sha2-256,hmac-sha2-512,hmac-sha1
-# 
+#
 # The list of available MAC algorithms may also be obtained using "ssh -Q mac".
-# 
+#
 {% if (fact_sshd_macs is defined) and fact_sshd_macs %}
 MACs {{ fact_sshd_macs }}
 {% else %}
@@ -329,7 +326,7 @@ MACs {{ fact_sshd_macs }}
 # HostKeyAlgorithms
 #
 # Specifies the host key algorithms that the server offers.  The default for this option is:
-# 
+#
 #    ecdsa-sha2-nistp256-cert-v01@openssh.com,
 #    ecdsa-sha2-nistp384-cert-v01@openssh.com,
 #    ecdsa-sha2-nistp521-cert-v01@openssh.com,
@@ -338,7 +335,7 @@ MACs {{ fact_sshd_macs }}
 #    ssh-rsa-cert-v01@openssh.com,
 #    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 #    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-# 
+#
 # The list of available key types may also be obtained using "ssh -Q key".
 {% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
 HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
@@ -388,7 +385,7 @@ AcceptEnv LANG LC_*
 
 # Configures an external subsystem (e.g. file transfer daemon).
 # By default no subsystems are defined.
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 11 %}
 {% if sshd_config_sftp.found|int == 0 %}
 Subsystem sftp /usr/lib/openssh/sftp-server
 {% else %}
@@ -398,10 +395,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Subsystem sftp /usr/lib/openssh/sftp-server
 {% endif %}
 
-# Specifies whether sshd(8) should look up the remote host name and check 
-# that the resolved host name for the remote IP address maps back to the 
+# Specifies whether sshd(8) should look up the remote host name and check
+# that the resolved host name for the remote IP address maps back to the
 # very same IP address.
-# The default is “yes”.
+# The default is 'yes'.
 UseDNS {{ sshd_use_dns }}
 
 # Specifies whether X11 forwarding is permitted. The argument must be 
@@ -414,12 +411,12 @@ UseDNS {{ sshd_use_dns }}
 # The default is 10.
 X11DisplayOffset 10
 
-# Specifies whether the system should send TCP keepalive messages to the 
-# other side. If they are sent, death of the connection or crash of one 
+# Specifies whether the system should send TCP keepalive messages to the
+# other side. If they are sent, death of the connection or crash of one
 # of the machines will be properly noticed.  However, this means
-# that connections will die if the route is down temporarily, and some 
-# people find it annoying. On the other hand, if TCP keepalives are not 
-# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# that connections will die if the route is down temporarily, and some
+# people find it annoying. On the other hand, if TCP keepalives are not
+# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
 # The default is “yes” (to send TCP keepalive messages), and the server 
@@ -432,14 +429,14 @@ TCPKeepAlive yes
 # The default is “yes”.
 PrintLastLog yes
 
-# Specifies whether remote hosts are allowed to connect to ports forwarded for the client. 
-# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents 
-# other remote hosts from connecting to forwarded ports. 
+# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
+# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
+# other remote hosts from connecting to forwarded ports.
 #
-# GatewayPorts can be used to specify that sshd should allow remote port forwardings to 
-# bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be 
-# no to force remote port forwardings to be available to the local host only, yes to force 
-# remote port forwardings to bind to the wildcard address, or clientspecified to allow the 
+# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
+# bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be
+# no to force remote port forwardings to be available to the local host only, yes to force
+# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
 # client to select the address to which the forwarding is bound.  The default is no.
 GatewayPorts {{ sshd_gateway_ports }}