xoxys.sshd/defaults/main.yml

55 lines
1.5 KiB
YAML
Raw Normal View History

2019-11-02 18:10:39 +00:00
---
sshd_protocol: 2
sshd_permit_root_login: 'yes'
sshd_permit_empty_passwords: 'no'
sshd_password_authentication: 'no'
sshd_gssapi_authentication: 'yes'
sshd_strict_modes: 'yes'
sshd_allow_groups: []
sshd_ignore_rhosts: 'yes'
sshd_hostbased_authentication: 'no'
sshd_client_alive_interval: 900
sshd_client_alive_count_max: 0
sshd_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
sshd_kex:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
sshd_moduli_minimum: 2048
sshd_macs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-ripemd160-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- hmac-ripemd160
sshd_allow_agent_forwarding: 'no'
sshd_x11_forwarding: 'yes'
2019-11-02 18:10:39 +00:00
sshd_allow_tcp_forwarding: 'yes'
sshd_compression: delayed
sshd_log_level: INFO
sshd_max_auth_tries: 6
sshd_max_sessions: 10
sshd_tcp_keep_alive: 'yes'
sshd_use_dns: 'yes'
# @var sshd_challenge_response_authentication:description: >
2019-11-02 19:14:24 +00:00
# If you disable password auth you should disable
# ChallengeResponseAuth also.
2019-11-02 18:10:39 +00:00
# @end
sshd_challenge_response_authentication: 'no'
# @var sshd_google_auth_enabled:description: >
# Google Authenticator required ChallengeResponseAuth!
# @end
sshd_google_auth_enabled: False
# @var sshd_google_auth_exclude_group:description: Exclude a group from 2FA auth
# @var sshd_google_auth_exclude_group:example: $ "my_group"
# @var sshd_google_auth_exclude_group: $ "_unset_"