xoxys.sshd/README.md

xoxys.sshd

Configure sshd server.

Table of content

• Requirements
• Default Variables
  • sshd_allow_agent_forwarding
  • sshd_allow_groups
  • sshd_allow_tcp_forwarding
  • sshd_challenge_response_authentication
  • sshd_ciphers
  • sshd_client_alive_count_max
  • sshd_client_alive_interval
  • sshd_compression
  • sshd_crypto_policy_enabled
  • sshd_google_auth_enabled
  • sshd_google_auth_exclude_group
  • sshd_gssapi_authentication
  • sshd_hostbased_authentication
  • sshd_ignore_rhosts
  • sshd_kex
  • sshd_log_level
  • sshd_login_grace_time
  • sshd_macs
  • sshd_max_auth_tries
  • sshd_max_sessions
  • sshd_max_startups
  • sshd_moduli_minimum
  • sshd_password_authentication
  • sshd_permit_empty_passwords
  • sshd_permit_root_login
  • sshd_protocol
  • sshd_strict_modes
  • sshd_tcp_keep_alive
  • sshd_use_dns
  • sshd_x11_forwarding
• Dependencies
• License
• Author

---

Requirements

• Minimum Ansible version: 2.10

Default Variables

sshd_allow_agent_forwarding

Default value

sshd_allow_agent_forwarding: no

sshd_allow_groups

Default value

sshd_allow_groups: []

sshd_allow_tcp_forwarding

Default value

sshd_allow_tcp_forwarding: yes

sshd_challenge_response_authentication

If you disable password auth you should disable ChallengeResponseAuth also.

Default value

sshd_challenge_response_authentication: no

sshd_ciphers

Default value

sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

sshd_client_alive_count_max

Default value

sshd_client_alive_count_max: 0

sshd_client_alive_interval

Default value

sshd_client_alive_interval: 900

sshd_compression

Default value

sshd_compression: delayed

sshd_crypto_policy_enabled

Default value

sshd_crypto_policy_enabled: true

sshd_google_auth_enabled

Google Authenticator required ChallengeResponseAuth!

Default value

sshd_google_auth_enabled: false

sshd_google_auth_exclude_group

Exclude a group from 2FA auth

Default value

sshd_google_auth_exclude_group: _unset_

Example usage

sshd_google_auth_exclude_group: my_group

sshd_gssapi_authentication

Default value

sshd_gssapi_authentication: no

sshd_hostbased_authentication

Default value

sshd_hostbased_authentication: no

sshd_ignore_rhosts

Default value

sshd_ignore_rhosts: yes

sshd_kex

Default value

sshd_kex:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

sshd_log_level

Default value

sshd_log_level: INFO

sshd_login_grace_time

Default value

sshd_login_grace_time: 60

sshd_macs

Default value

sshd_macs:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256
  - umac-128@openssh.com

sshd_max_auth_tries

Default value

sshd_max_auth_tries: 6

sshd_max_sessions

Default value

sshd_max_sessions: 10

sshd_max_startups

Default value

sshd_max_startups: 10:30:60

sshd_moduli_minimum

Default value

sshd_moduli_minimum: 2048

sshd_password_authentication

Default value

sshd_password_authentication: no

sshd_permit_empty_passwords

Default value

sshd_permit_empty_passwords: no

sshd_permit_root_login

Default value

sshd_permit_root_login: yes

sshd_protocol

Default value

sshd_protocol: 2

sshd_strict_modes

Default value

sshd_strict_modes: yes

sshd_tcp_keep_alive

Default value

sshd_tcp_keep_alive: yes

sshd_use_dns

Default value

sshd_use_dns: no

sshd_x11_forwarding

Default value

sshd_x11_forwarding: yes

Dependencies

None.

License

MIT

Author

Robert Kaussow