diff --git a/defaults/main.yml b/defaults/main.yml index 9854bb5..b4444ad 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,5 +3,15 @@ rootpath: '' ssh: config_override: + Port: 22 AuthorizedKeysFile: ".ssh/authorized_keys" + PermitRootLogin: "yes" + UseDNS: "no" + UsePam: "yes" + MaxAuthTries: 10 + UsePrivilegeSeparation: sandbox + AuthenticationMethods: publickey + KexAlgorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com user: {} diff --git a/templates/ssh_sshd_config.j2 b/templates/ssh_sshd_config.j2 index 20adc8e..4756c7a 100644 --- a/templates/ssh_sshd_config.j2 +++ b/templates/ssh_sshd_config.j2 @@ -1,12 +1,6 @@ # {{ ansible_managed }} # See the sshd_config(5) manpage for details -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 - AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE @@ -17,34 +11,11 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key -KexAlgorithms curve25519-sha256@libssh.org - -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - -# KeyRegenerationInternal is halved from the default as a precaution (optional). 1800 seconds is 30 minutes. -KeyRegenerationInterval 1800 - -# Password based logins are disabled - only public key based logins are allowed. -AuthenticationMethods publickey - # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. LogLevel VERBOSE -PermitRootLogin yes -UseDNS no - -# Use kernel sandbox mechanisms where possible in unprivilegied processes -# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. -UsePrivilegeSeparation sandbox - -# We need sftp -Subsystem sftp internal-sftp - -UsePam yes # needed to create home dirs with an ldap login - -MaxAuthTries 10 +# We need sftp and logging +Subsystem sftp internal-sftp -f AUTH -l INFO {% for i in ssh.config_override|d({}) %} {{ i }} {{ ssh.config_override[i] }} @@ -54,7 +25,7 @@ MaxAuthTries 10 {% for i in ssh.user %} Match User {{ i }} - {% for j in ssh.user[i]|d({}) %} +{% for j in ssh.user[i]|d({}) %} {{ j }} {{ ssh.user[i][j] }} - {% endfor %} +{% endfor %} {% endfor %}