diff --git a/defaults/main.yml b/defaults/main.yml index 1f74fb4..4203fbf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -50,7 +50,13 @@ common_scripts: - { dest: "/usr/local/bin/zombies", src: "scripts/zombies" } common_openssh: True +common_openssh_ports: [] +common_openssh_host_keys: [] +common_openssh_listen_addresses: [] +common_openssh_permit_root_login: "no" +common_openssh_password_authentication: "no" common_openssh_keys_root: [] +common_openssh_x11_forwarding: "no" common_aliases: - "mailer-daemon: postmaster" diff --git a/tasks/openssh.yml b/tasks/openssh.yml index a86aa1a..c17492f 100644 --- a/tasks/openssh.yml +++ b/tasks/openssh.yml @@ -7,7 +7,13 @@ service: name=ssh state=started enabled=yes - name: openssh - config - template: dest=/etc/ssh/sshd_config src=sshd_config.j2 owner=root group=root mode=0600 + template: + dest: /etc/ssh/sshd_config + src: sshd_config.j2 + owner: root + group: root + mode: 0600 + validate: '/usr/sbin/sshd -T -f %s' notify: reload openssh - name: openssh - root keys diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 5148b1c..abcebf4 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -1,89 +1,20 @@ # {{ ansible_managed }} # See the sshd_config(5) manpage for details -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin without-password -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) +{% for port in common_openssh_ports -%} +Port {{ port }} +{% endfor %} +{% for address in common_openssh_listen_addresses -%} +ListenAddress {{ address }} +{% endfor %} +{% for hostkey in common_openssh_host_keys %} +HostKey /etc/ssh/ssh_host_{{ hostkey }}_key +{% endfor %} +PermitRootLogin {{ common_openssh_permit_root_login }} ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 +PasswordAuthentication {{ common_openssh_password_authentication }} +X11Forwarding {{ common_openssh_x11_forwarding }} PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables AcceptEnv LANG LC_* - -Subsystem sftp {{ common_openssh_subsystem_sftp | default("/usr/lib/openssh/sftp-server") }} - - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes