SSH
Secure Shell Daemon.
Ansible Role: sshd
Defaults
---
###############################################################################
# SSHD Role Configuration
###############################################################################
# For configurations requiring non 4096 RSA keys.
sshd_disable_rsa_regeneration: false
###############################################################################
# SSHD ssh_config Configuration
###############################################################################
# Default SSH system configuration (secure)
# updated: 2021-03-17; /etc/ssh/ssh_config
ssh_host: '*'
ssh_forward_agent: 'no'
ssh_forward_x11: 'no'
ssh_forward_x11_trusted: 'yes'
ssh_password_authentication: 'yes'
ssh_hostbased_authentication: 'no'
# default: yes
ssh_gssapi_authentication: 'no'
ssh_gssapi_delegate_credentials: 'no'
ssh_gssapi_key_exchange: 'no'
ssh_gssapi_trust_dns: 'no'
ssh_batch_mode: 'no'
ssh_check_host_ip: 'yes'
ssh_address_family: 'any'
ssh_connect_timeout: 0
ssh_strict_host_key_checking: 'ask'
# DSA keys are considered insecure.
# Reference: https://security.stackexchange.com/questions/178958/what-are-the-differences-between-the-rsa-dsa-and-ecdsa-keys-that-ssh-uses
# default: removed dsa,ecdsa keys
ssh_identity_file:
- '~/.ssh/id_rsa'
- '~/.ssh/id_ed25519'
ssh_port: 22
ssh_protocol: 2
ssh_ciphers: 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc'
ssh_macs: 'hmac-md5,hmac-sha1,umac-64@openssh.com'
ssh_escape_char: '~'
ssh_tunnel: 'no'
ssh_tunnel_device: 'any:any'
ssh_permit_local_command: 'no'
ssh_visual_host_key: 'no'
# default: ssh -q -W %h:%p gateway.example.com
ssh_proxy_command: ''
ssh_rekey_limit: '1G 1h'
ssh_send_env: 'LANG LC_*'
ssh_hash_known_hosts: 'yes'
###############################################################################
# SSHD sshd_config Configuration
###############################################################################
# Default SSHD configuration (secure)
# updated: 2021-03-17; /usr/share/openssh/sshd_config
# KerberosGetAFSToken is unsupported, though listed in config example
# https://lists.debian.org/debian-ssh/2010/12/msg00009.html
sshd_port: 22
sshd_protocol: 2
sshd_address_family: 'any'
sshd_listen_address:
- '0.0.0.0'
- '::'
# default: Removed dsa,ecdsa keys.
# DSA keys are considered insecure.
# Reference: https://security.stackexchange.com/questions/178958/what-are-the-differences-between-the-rsa-dsa-and-ecdsa-keys-that-ssh-uses
sshd_host_key:
- '/etc/ssh/ssh_host_rsa_key'
- '/etc/ssh/ssh_host_ed25519_key'
sshd_rekey_limit: 'default none'
sshd_syslog_facility: 'AUTH'
sshd_log_level: 'INFO'
sshd_login_grace_time: '2m'
# default: prohibit-password
sshd_permit_root_login: 'no'
sshd_strict_modes: 'yes'
# default: 6
sshd_max_auth_tries: 3
sshd_max_sessions: 10
sshd_pubkey_authentication: 'yes'
# default: .ssh/authorized_keys .ssh/authorized_keys2
sshd_authorized_keys_file: '.ssh/authorized_keys'
sshd_authorized_principals_file: 'none'
sshd_authorized_keys_command: 'none'
sshd_authorized_keys_command_user: 'nobody'
sshd_hostbased_authentication: 'no'
# default: 'no'
sshd_ignore_user_known_hosts: 'yes'
sshd_ignore_rhosts: 'yes'
# default: 'yes'
sshd_password_authentication: 'no'
sshd_permit_empty_passwords: 'no'
sshd_challenge_response_authentication: 'no'
sshd_kerberos_authentication: 'no'
sshd_kerberos_or_local_passwd: 'yes'
sshd_kerberos_ticket_cleanup: 'yes'
sshd_kerberos_get_afs_token: 'no'
sshd_gssapi_authentication: 'no'
sshd_gssapi_cleanup_credentials: 'yes'
sshd_gssapi_strict_acceptor_check: 'yes'
sshd_gssapi_key_exchange: 'no'
sshd_use_pam: 'yes'
# default: unspecified
sshd_stream_local_bind_unlink: 'no'
# default: 'yes'
sshd_allow_agent_forwarding: 'no'
sshd_allow_tcp_forwarding: 'yes'
sshd_gateway_ports: 'no'
sshd_x11_forwarding: 'yes'
sshd_x11_display_offset: 10
sshd_x11_use_local_host: 'yes'
sshd_permit_tty: 'yes'
sshd_print_motd: 'no'
sshd_print_last_log: 'yes'
sshd_tcp_keep_alive: 'yes'
sshd_permit_user_environment: 'no'
sshd_compression: 'delayed'
sshd_client_alive_interval: 0
sshd_client_alive_count_max: 3
sshd_use_dns: 'no'
sshd_pid_file: '/var/run/sshd.pid'
sshd_max_startups: '10:30:100'
sshd_permit_tunnel: 'no'
sshd_chroot_directory: 'none'
sshd_version_addendum: 'none'
sshd_banner: 'none'
sshd_accept_env: 'LANG LC_*'
# default: sftp /usr/lib/openssh/sftp- server
sshd_subsystem: 'sftp internal-sftp'
# default: 'no'allowed groups
sshd_allow_groups: 'ssh'