SSH

Secure Shell Daemon.

Ansible Role: sshd

Manage SSH.

None

Role Details: Updated: 2022-10-09 service docs PRIVATE

Defaults

---
###############################################################################
# SSHD Role Configuration
###############################################################################

# For configurations requiring non 4096 RSA keys.
sshd_disable_rsa_regeneration: false

###############################################################################
# SSHD ssh_config Configuration
###############################################################################
# Default SSH system configuration (secure)
# updated: 2021-03-17; /etc/ssh/ssh_config

ssh_host:                        '*'
ssh_forward_agent:               'no'
ssh_forward_x11:                 'no'
ssh_forward_x11_trusted:         'yes'
ssh_password_authentication:     'yes'
ssh_hostbased_authentication:    'no'
# default: yes
ssh_gssapi_authentication:       'no'
ssh_gssapi_delegate_credentials: 'no'
ssh_gssapi_key_exchange:         'no'
ssh_gssapi_trust_dns:            'no'
ssh_batch_mode:                  'no'
ssh_check_host_ip:               'yes'
ssh_address_family:              'any'
ssh_connect_timeout:             0
ssh_strict_host_key_checking:    'ask'

# DSA keys are considered insecure.
# Reference: https://security.stackexchange.com/questions/178958/what-are-the-differences-between-the-rsa-dsa-and-ecdsa-keys-that-ssh-uses
# default: removed dsa,ecdsa keys
ssh_identity_file:
  - '~/.ssh/id_rsa'
  - '~/.ssh/id_ed25519'
ssh_port:                 22
ssh_protocol:             2
ssh_ciphers:              'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc'
ssh_macs:                 'hmac-md5,hmac-sha1,umac-64@openssh.com'
ssh_escape_char:          '~'
ssh_tunnel:               'no'
ssh_tunnel_device:        'any:any'
ssh_permit_local_command: 'no'
ssh_visual_host_key:      'no'
# default: ssh -q -W %h:%p gateway.example.com
ssh_proxy_command:        ''
ssh_rekey_limit:          '1G 1h'
ssh_send_env:             'LANG LC_*'
ssh_hash_known_hosts:     'yes'

###############################################################################
# SSHD sshd_config Configuration
###############################################################################
# Default SSHD configuration (secure)
# updated: 2021-03-17; /usr/share/openssh/sshd_config

# KerberosGetAFSToken is unsupported, though listed in config example
# https://lists.debian.org/debian-ssh/2010/12/msg00009.html
sshd_port:                               22
sshd_protocol:                           2
sshd_address_family:                     'any'
sshd_listen_address:
  - '0.0.0.0'
  - '::'
# default: Removed dsa,ecdsa keys.
# DSA keys are considered insecure.
# Reference: https://security.stackexchange.com/questions/178958/what-are-the-differences-between-the-rsa-dsa-and-ecdsa-keys-that-ssh-uses
sshd_host_key:
  - '/etc/ssh/ssh_host_rsa_key'
  - '/etc/ssh/ssh_host_ed25519_key'
sshd_rekey_limit:                       'default none'
sshd_syslog_facility:                   'AUTH'
sshd_log_level:                         'INFO'
sshd_login_grace_time:                  '2m'
# default: prohibit-password
sshd_permit_root_login:                 'no'
sshd_strict_modes:                      'yes'
# default: 6
sshd_max_auth_tries:                    3
sshd_max_sessions:                      10
sshd_pubkey_authentication:             'yes'
# default: .ssh/authorized_keys .ssh/authorized_keys2
sshd_authorized_keys_file:              '.ssh/authorized_keys'
sshd_authorized_principals_file:        'none'
sshd_authorized_keys_command:           'none'
sshd_authorized_keys_command_user:      'nobody'
sshd_hostbased_authentication:          'no'
# default: 'no'
sshd_ignore_user_known_hosts:           'yes'
sshd_ignore_rhosts:                     'yes'
# default: 'yes'
sshd_password_authentication:           'no'
sshd_permit_empty_passwords:            'no'
sshd_challenge_response_authentication: 'no'
sshd_kerberos_authentication:           'no'
sshd_kerberos_or_local_passwd:          'yes'
sshd_kerberos_ticket_cleanup:           'yes'
sshd_kerberos_get_afs_token:            'no'
sshd_gssapi_authentication:             'no'
sshd_gssapi_cleanup_credentials:        'yes'
sshd_gssapi_strict_acceptor_check:      'yes'
sshd_gssapi_key_exchange:               'no'
sshd_use_pam:                           'yes'
# default: unspecified
sshd_stream_local_bind_unlink:          'no'
# default: 'yes'
sshd_allow_agent_forwarding:            'no'
sshd_allow_tcp_forwarding:              'yes'
sshd_gateway_ports:                     'no'
sshd_x11_forwarding:                    'yes'
sshd_x11_display_offset:                10
sshd_x11_use_local_host:                'yes'
sshd_permit_tty:                        'yes'
sshd_print_motd:                        'no'
sshd_print_last_log:                    'yes'
sshd_tcp_keep_alive:                    'yes'
sshd_permit_user_environment:           'no'
sshd_compression:                       'delayed'
sshd_client_alive_interval:             0
sshd_client_alive_count_max:            3
sshd_use_dns:                           'no'
sshd_pid_file:                          '/var/run/sshd.pid'
sshd_max_startups:                      '10:30:100'
sshd_permit_tunnel:                     'no'
sshd_chroot_directory:                  'none'
sshd_version_addendum:                  'none'
sshd_banner:                            'none'
sshd_accept_env:                        'LANG LC_*'
# default: sftp /usr/lib/openssh/sftp- server
sshd_subsystem:                         'sftp internal-sftp'
# default: 'no'allowed groups
sshd_allow_groups:                      'ssh'