xoxys.sshd/README.md

340 lines
5.4 KiB
Markdown

# xoxys.sshd
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
Configure sshd server.
## Table of content
- [Requirements](#requirements)
- [Default Variables](#default-variables)
- [sshd_allow_agent_forwarding](#sshd_allow_agent_forwarding)
- [sshd_allow_groups](#sshd_allow_groups)
- [sshd_allow_tcp_forwarding](#sshd_allow_tcp_forwarding)
- [sshd_challenge_response_authentication](#sshd_challenge_response_authentication)
- [sshd_ciphers](#sshd_ciphers)
- [sshd_client_alive_count_max](#sshd_client_alive_count_max)
- [sshd_client_alive_interval](#sshd_client_alive_interval)
- [sshd_compression](#sshd_compression)
- [sshd_crypto_policy_enabled](#sshd_crypto_policy_enabled)
- [sshd_google_auth_enabled](#sshd_google_auth_enabled)
- [sshd_google_auth_exclude_group](#sshd_google_auth_exclude_group)
- [sshd_gssapi_authentication](#sshd_gssapi_authentication)
- [sshd_hostbased_authentication](#sshd_hostbased_authentication)
- [sshd_ignore_rhosts](#sshd_ignore_rhosts)
- [sshd_kex](#sshd_kex)
- [sshd_log_level](#sshd_log_level)
- [sshd_login_grace_time](#sshd_login_grace_time)
- [sshd_macs](#sshd_macs)
- [sshd_max_auth_tries](#sshd_max_auth_tries)
- [sshd_max_sessions](#sshd_max_sessions)
- [sshd_max_startups](#sshd_max_startups)
- [sshd_moduli_minimum](#sshd_moduli_minimum)
- [sshd_password_authentication](#sshd_password_authentication)
- [sshd_permit_empty_passwords](#sshd_permit_empty_passwords)
- [sshd_permit_root_login](#sshd_permit_root_login)
- [sshd_port](#sshd_port)
- [sshd_protocol](#sshd_protocol)
- [sshd_strict_modes](#sshd_strict_modes)
- [sshd_tcp_keep_alive](#sshd_tcp_keep_alive)
- [sshd_use_dns](#sshd_use_dns)
- [sshd_x11_forwarding](#sshd_x11_forwarding)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)
---
## Requirements
- Minimum Ansible version: `2.10`
## Default Variables
### sshd_allow_agent_forwarding
#### Default value
```YAML
sshd_allow_agent_forwarding: no
```
### sshd_allow_groups
#### Default value
```YAML
sshd_allow_groups: []
```
### sshd_allow_tcp_forwarding
#### Default value
```YAML
sshd_allow_tcp_forwarding: yes
```
### sshd_challenge_response_authentication
If you disable password auth you should disable ChallengeResponseAuth also.
#### Default value
```YAML
sshd_challenge_response_authentication: no
```
### sshd_ciphers
#### Default value
```YAML
sshd_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
```
### sshd_client_alive_count_max
#### Default value
```YAML
sshd_client_alive_count_max: 0
```
### sshd_client_alive_interval
#### Default value
```YAML
sshd_client_alive_interval: 900
```
### sshd_compression
#### Default value
```YAML
sshd_compression: delayed
```
### sshd_crypto_policy_enabled
#### Default value
```YAML
sshd_crypto_policy_enabled: true
```
### sshd_google_auth_enabled
Google Authenticator required ChallengeResponseAuth!
#### Default value
```YAML
sshd_google_auth_enabled: false
```
### sshd_google_auth_exclude_group
Exclude a group from 2FA auth
#### Default value
```YAML
sshd_google_auth_exclude_group: _unset_
```
#### Example usage
```YAML
sshd_google_auth_exclude_group: my_group
```
### sshd_gssapi_authentication
#### Default value
```YAML
sshd_gssapi_authentication: no
```
### sshd_hostbased_authentication
#### Default value
```YAML
sshd_hostbased_authentication: no
```
### sshd_ignore_rhosts
#### Default value
```YAML
sshd_ignore_rhosts: yes
```
### sshd_kex
#### Default value
```YAML
sshd_kex:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
```
### sshd_log_level
#### Default value
```YAML
sshd_log_level: INFO
```
### sshd_login_grace_time
#### Default value
```YAML
sshd_login_grace_time: 60
```
### sshd_macs
#### Default value
```YAML
sshd_macs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- umac-128@openssh.com
```
### sshd_max_auth_tries
#### Default value
```YAML
sshd_max_auth_tries: 6
```
### sshd_max_sessions
#### Default value
```YAML
sshd_max_sessions: 10
```
### sshd_max_startups
#### Default value
```YAML
sshd_max_startups: 10:30:60
```
### sshd_moduli_minimum
#### Default value
```YAML
sshd_moduli_minimum: 2048
```
### sshd_password_authentication
#### Default value
```YAML
sshd_password_authentication: no
```
### sshd_permit_empty_passwords
#### Default value
```YAML
sshd_permit_empty_passwords: no
```
### sshd_permit_root_login
#### Default value
```YAML
sshd_permit_root_login: yes
```
### sshd_port
#### Default value
```YAML
sshd_port: 22
```
### sshd_protocol
#### Default value
```YAML
sshd_protocol: 2
```
### sshd_strict_modes
#### Default value
```YAML
sshd_strict_modes: yes
```
### sshd_tcp_keep_alive
#### Default value
```YAML
sshd_tcp_keep_alive: yes
```
### sshd_use_dns
#### Default value
```YAML
sshd_use_dns: no
```
### sshd_x11_forwarding
#### Default value
```YAML
sshd_x11_forwarding: yes
```
## Dependencies
None.
## License
MIT
## Author
[Robert Kaussow](https://gitea.rknet.org/xoxys)