├── .gitignore ├── LICENSE ├── README.md ├── files └── sshd_config ├── handlers └── main.yml ├── meta └── main.yml └── tasks └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | ._* 3 | .ideas 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Servers For Hackers 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ansible-ssh 2 | =========== 3 | 4 | Ansible Role for SSH 5 | 6 | > This depends on the [user role](https://github.com/Servers-for-Hackers/ansible-user-example) which creates the system users. 7 | -------------------------------------------------------------------------------- /files/sshd_config: -------------------------------------------------------------------------------- 1 | Port 22 2 | # Use these options to restrict which interfaces/protocols sshd will bind to 3 | #ListenAddress :: 4 | #ListenAddress 0.0.0.0 5 | Protocol 2 6 | # HostKeys for protocol version 2 7 | HostKey /etc/ssh/ssh_host_rsa_key 8 | HostKey /etc/ssh/ssh_host_dsa_key 9 | HostKey /etc/ssh/ssh_host_ecdsa_key 10 | HostKey /etc/ssh/ssh_host_ed25519_key 11 | #Privilege Separation is turned on for security 12 | UsePrivilegeSeparation yes 13 | 14 | # Lifetime and size of ephemeral version 1 server key 15 | KeyRegenerationInterval 3600 16 | ServerKeyBits 1024 17 | 18 | # Logging 19 | SyslogFacility AUTH 20 | LogLevel INFO 21 | 22 | # Authentication: 23 | LoginGraceTime 120 24 | PermitRootLogin no 25 | StrictModes yes 26 | 27 | RSAAuthentication yes 28 | PubkeyAuthentication yes 29 | #AuthorizedKeysFile %h/.ssh/authorized_keys 30 | 31 | # Don't read the user's ~/.rhosts and ~/.shosts files 32 | IgnoreRhosts yes 33 | # For this to work you will also need host keys in /etc/ssh_known_hosts 34 | RhostsRSAAuthentication no 35 | # similar for protocol version 2 36 | HostbasedAuthentication no 37 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication 38 | #IgnoreUserKnownHosts yes 39 | 40 | # To enable empty passwords, change to yes (NOT RECOMMENDED) 41 | PermitEmptyPasswords no 42 | 43 | # Change to yes to enable challenge-response passwords (beware issues with 44 | # some PAM modules and threads) 45 | ChallengeResponseAuthentication no 46 | 47 | # Change to no to disable tunnelled clear text passwords 48 | PasswordAuthentication no 49 | 50 | # Kerberos options 51 | #KerberosAuthentication no 52 | #KerberosGetAFSToken no 53 | #KerberosOrLocalPasswd yes 54 | #KerberosTicketCleanup yes 55 | 56 | # GSSAPI options 57 | #GSSAPIAuthentication no 58 | #GSSAPICleanupCredentials yes 59 | 60 | X11Forwarding yes 61 | X11DisplayOffset 10 62 | PrintMotd no 63 | PrintLastLog yes 64 | TCPKeepAlive yes 65 | #UseLogin no 66 | 67 | #MaxStartups 10:30:60 68 | #Banner /etc/issue.net 69 | 70 | # Allow client to pass locale environment variables 71 | AcceptEnv LANG LC_* 72 | 73 | Subsystem sftp /usr/lib/openssh/sftp-server 74 | 75 | AllowGroups sudo ssh 76 | 77 | # Set this to 'yes' to enable PAM authentication, account processing, 78 | # and session processing. If this is enabled, PAM authentication will 79 | # be allowed through the ChallengeResponseAuthentication and 80 | # PasswordAuthentication. Depending on your PAM configuration, 81 | # PAM authentication via ChallengeResponseAuthentication may bypass 82 | # the setting of "PermitRootLogin without-password". 83 | # If you just want the PAM account and session checks to run without 84 | # PAM authentication, then enable this but set PasswordAuthentication 85 | # and ChallengeResponseAuthentication to 'no'. 86 | UsePAM yes -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart SSHD 3 | service: name=ssh state=restarted 4 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - { role: user } -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Set SSHD Configuration 3 | copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=664 4 | notify: 5 | - Restart SSHD --------------------------------------------------------------------------------