# xoxys.sshd

[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)

Configure sshd server.

## Table of content

- [Requirements](#requirements)
- [Default Variables](#default-variables)
  - [sshd_allow_agent_forwarding](#sshd_allow_agent_forwarding)
  - [sshd_allow_groups](#sshd_allow_groups)
  - [sshd_allow_tcp_forwarding](#sshd_allow_tcp_forwarding)
  - [sshd_challenge_response_authentication](#sshd_challenge_response_authentication)
  - [sshd_ciphers](#sshd_ciphers)
  - [sshd_client_alive_count_max](#sshd_client_alive_count_max)
  - [sshd_client_alive_interval](#sshd_client_alive_interval)
  - [sshd_compression](#sshd_compression)
  - [sshd_crypto_policy_enabled](#sshd_crypto_policy_enabled)
  - [sshd_google_auth_enabled](#sshd_google_auth_enabled)
  - [sshd_google_auth_exclude_group](#sshd_google_auth_exclude_group)
  - [sshd_gssapi_authentication](#sshd_gssapi_authentication)
  - [sshd_hostbased_authentication](#sshd_hostbased_authentication)
  - [sshd_ignore_rhosts](#sshd_ignore_rhosts)
  - [sshd_kex](#sshd_kex)
  - [sshd_log_level](#sshd_log_level)
  - [sshd_login_grace_time](#sshd_login_grace_time)
  - [sshd_macs](#sshd_macs)
  - [sshd_max_auth_tries](#sshd_max_auth_tries)
  - [sshd_max_sessions](#sshd_max_sessions)
  - [sshd_max_startups](#sshd_max_startups)
  - [sshd_moduli_minimum](#sshd_moduli_minimum)
  - [sshd_password_authentication](#sshd_password_authentication)
  - [sshd_permit_empty_passwords](#sshd_permit_empty_passwords)
  - [sshd_permit_root_login](#sshd_permit_root_login)
  - [sshd_protocol](#sshd_protocol)
  - [sshd_strict_modes](#sshd_strict_modes)
  - [sshd_tcp_keep_alive](#sshd_tcp_keep_alive)
  - [sshd_use_dns](#sshd_use_dns)
  - [sshd_x11_forwarding](#sshd_x11_forwarding)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)

---

## Requirements

- Minimum Ansible version: `2.10`

## Default Variables

### sshd_allow_agent_forwarding

#### Default value

```YAML
sshd_allow_agent_forwarding: no
```

### sshd_allow_groups

#### Default value

```YAML
sshd_allow_groups: []
```

### sshd_allow_tcp_forwarding

#### Default value

```YAML
sshd_allow_tcp_forwarding: yes
```

### sshd_challenge_response_authentication

If you disable password auth you should disable ChallengeResponseAuth also.

#### Default value

```YAML
sshd_challenge_response_authentication: no
```

### sshd_ciphers

#### Default value

```YAML
sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr
```

### sshd_client_alive_count_max

#### Default value

```YAML
sshd_client_alive_count_max: 0
```

### sshd_client_alive_interval

#### Default value

```YAML
sshd_client_alive_interval: 900
```

### sshd_compression

#### Default value

```YAML
sshd_compression: delayed
```

### sshd_crypto_policy_enabled

#### Default value

```YAML
sshd_crypto_policy_enabled: true
```

### sshd_google_auth_enabled

Google Authenticator required ChallengeResponseAuth!

#### Default value

```YAML
sshd_google_auth_enabled: false
```

### sshd_google_auth_exclude_group

Exclude a group from 2FA auth

#### Default value

```YAML
sshd_google_auth_exclude_group: _unset_
```

#### Example usage

```YAML
sshd_google_auth_exclude_group: my_group
```

### sshd_gssapi_authentication

#### Default value

```YAML
sshd_gssapi_authentication: no
```

### sshd_hostbased_authentication

#### Default value

```YAML
sshd_hostbased_authentication: no
```

### sshd_ignore_rhosts

#### Default value

```YAML
sshd_ignore_rhosts: yes
```

### sshd_kex

#### Default value

```YAML
sshd_kex:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256
```

### sshd_log_level

#### Default value

```YAML
sshd_log_level: INFO
```

### sshd_login_grace_time

#### Default value

```YAML
sshd_login_grace_time: 60
```

### sshd_macs

#### Default value

```YAML
sshd_macs:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256
  - umac-128@openssh.com
```

### sshd_max_auth_tries

#### Default value

```YAML
sshd_max_auth_tries: 6
```

### sshd_max_sessions

#### Default value

```YAML
sshd_max_sessions: 10
```

### sshd_max_startups

#### Default value

```YAML
sshd_max_startups: 10:30:60
```

### sshd_moduli_minimum

#### Default value

```YAML
sshd_moduli_minimum: 2048
```

### sshd_password_authentication

#### Default value

```YAML
sshd_password_authentication: no
```

### sshd_permit_empty_passwords

#### Default value

```YAML
sshd_permit_empty_passwords: no
```

### sshd_permit_root_login

#### Default value

```YAML
sshd_permit_root_login: yes
```

### sshd_protocol

#### Default value

```YAML
sshd_protocol: 2
```

### sshd_strict_modes

#### Default value

```YAML
sshd_strict_modes: yes
```

### sshd_tcp_keep_alive

#### Default value

```YAML
sshd_tcp_keep_alive: yes
```

### sshd_use_dns

#### Default value

```YAML
sshd_use_dns: no
```

### sshd_x11_forwarding

#### Default value

```YAML
sshd_x11_forwarding: yes
```

## Dependencies

None.

## License

MIT

## Author

[Robert Kaussow](https://gitea.rknet.org/xoxys)