5.4 KiB
5.4 KiB
xoxys.sshd
Configure sshd server.
Table of content
- Requirements
- Default Variables
- sshd_allow_agent_forwarding
- sshd_allow_groups
- sshd_allow_tcp_forwarding
- sshd_challenge_response_authentication
- sshd_ciphers
- sshd_client_alive_count_max
- sshd_client_alive_interval
- sshd_compression
- sshd_crypto_policy_enabled
- sshd_google_auth_enabled
- sshd_google_auth_exclude_group
- sshd_gssapi_authentication
- sshd_hostbased_authentication
- sshd_ignore_rhosts
- sshd_kex
- sshd_log_level
- sshd_login_grace_time
- sshd_macs
- sshd_max_auth_tries
- sshd_max_sessions
- sshd_max_startups
- sshd_moduli_minimum
- sshd_password_authentication
- sshd_permit_empty_passwords
- sshd_permit_root_login
- sshd_port
- sshd_protocol
- sshd_strict_modes
- sshd_tcp_keep_alive
- sshd_use_dns
- sshd_x11_forwarding
- Dependencies
- License
- Author
Requirements
- Minimum Ansible version:
2.10
Default Variables
sshd_allow_agent_forwarding
Default value
sshd_allow_agent_forwarding: no
sshd_allow_groups
Default value
sshd_allow_groups: []
sshd_allow_tcp_forwarding
Default value
sshd_allow_tcp_forwarding: yes
sshd_challenge_response_authentication
If you disable password auth you should disable ChallengeResponseAuth also.
Default value
sshd_challenge_response_authentication: no
sshd_ciphers
Default value
sshd_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
sshd_client_alive_count_max
Default value
sshd_client_alive_count_max: 0
sshd_client_alive_interval
Default value
sshd_client_alive_interval: 900
sshd_compression
Default value
sshd_compression: delayed
sshd_crypto_policy_enabled
Default value
sshd_crypto_policy_enabled: true
sshd_google_auth_enabled
Google Authenticator required ChallengeResponseAuth!
Default value
sshd_google_auth_enabled: false
sshd_google_auth_exclude_group
Exclude a group from 2FA auth
Default value
sshd_google_auth_exclude_group: _unset_
Example usage
sshd_google_auth_exclude_group: my_group
sshd_gssapi_authentication
Default value
sshd_gssapi_authentication: no
sshd_hostbased_authentication
Default value
sshd_hostbased_authentication: no
sshd_ignore_rhosts
Default value
sshd_ignore_rhosts: yes
sshd_kex
Default value
sshd_kex:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
sshd_log_level
Default value
sshd_log_level: INFO
sshd_login_grace_time
Default value
sshd_login_grace_time: 60
sshd_macs
Default value
sshd_macs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- umac-128@openssh.com
sshd_max_auth_tries
Default value
sshd_max_auth_tries: 6
sshd_max_sessions
Default value
sshd_max_sessions: 10
sshd_max_startups
Default value
sshd_max_startups: 10:30:60
sshd_moduli_minimum
Default value
sshd_moduli_minimum: 2048
sshd_password_authentication
Default value
sshd_password_authentication: no
sshd_permit_empty_passwords
Default value
sshd_permit_empty_passwords: no
sshd_permit_root_login
Default value
sshd_permit_root_login: yes
sshd_port
Default value
sshd_port: 22
sshd_protocol
Default value
sshd_protocol: 2
sshd_strict_modes
Default value
sshd_strict_modes: yes
sshd_tcp_keep_alive
Default value
sshd_tcp_keep_alive: yes
sshd_use_dns
Default value
sshd_use_dns: no
sshd_x11_forwarding
Default value
sshd_x11_forwarding: yes
Dependencies
None.
License
MIT