initial commit

handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart sshd
+  service: name=sshd state=restarted

tasks/main.yml

@@ -0,0 +1,14 @@
+---
+  - name: copy sshd config
+    template:
+      src: ssh_sshd_config.j2
+      dest: /etc/ssh/sshd_config
+      owner: root
+      mode: 0644
+    notify:
+    - restart sshd
+#  - name: add ansible key
+#    authorized_key:
+#      user: root
+#      key: "{{ lookup('file', 'ansible-key.pub') }}"
+#      manage_dir: yes

templates/ssh_sshd_config.j2

@@ -0,0 +1,51 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+
+
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# KeyRegenerationInternal is halved from the default as a precaution (optional). 1800 seconds is 30 minutes.
+KeyRegenerationInterval 1800
+
+# Password based logins are disabled - only public key based logins are allowed.
+AuthenticationMethods publickey
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Root login should not be allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
+#
+# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
+# Additionally, only tools such as systemd and auditd record the process session id.
+# On other OSes, the user session id is not necessarily recorded at all kernel-side.
+# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
+PermitRootLogin yes # but we need it to login from dom0
+
+# Use kernel sandbox mechanisms where possible in unprivilegied processes
+# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
+UsePrivilegeSeparation sandbox
+
+# We need sftp
+Subsystem sftp internal-sftp
+
+# add special rules for users defined in host variables
+
+{% for i in sshuser %}
+Match User {{ i['user'] }}
+	AuthorizedKeysFile {{ i['AuthorizedKeysFile'] }}
+{% endfor %}