├── .ansible-lint ├── .clog.toml ├── .editorconfig ├── .gitignore ├── .travis.yml ├── CHANGELOG.md ├── LICENSE ├── Makefile ├── README.md ├── Vagrantfile ├── ansible.cfg ├── defaults └── main.yml ├── handlers └── main.yml ├── meta ├── main.yml └── readme.yml ├── tasks ├── config.yml ├── install.yml ├── known_hosts.yml ├── main.yml ├── service.yml └── vars.yml ├── templates └── etc │ └── ssh │ └── sshd_config.j2 ├── tests └── main.yml └── vars ├── debian └── bullseye.yml ├── openbsd.yml ├── ubuntu.yml └── ubuntu ├── bionic.yml ├── trusty.yml └── xenial.yml /.ansible-lint: -------------------------------------------------------------------------------- 1 | exclude_paths: 2 | - ./meta/readme.yml 3 | -------------------------------------------------------------------------------- /.clog.toml: -------------------------------------------------------------------------------- 1 | [clog] 2 | changelog = "CHANGELOG.md" 3 | repository = "https://github.com/weareinteractive/ansible-ssh" 4 | from-latest-tag = true 5 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig helps developers define and maintain consistent 2 | # coding styles between different editors and IDEs 3 | # editorconfig.org 4 | 5 | root = true 6 | 7 | [*] 8 | # Change these settings to your own preference 9 | indent_size = 2 10 | indent_style = space 11 | 12 | # We recommend you to keep these unchanged 13 | charset = utf-8 14 | end_of_line = lf 15 | insert_final_newline = true 16 | trim_trailing_whitespace = true 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.log 2 | *.retry 3 | .DS_Store 4 | .vagrant 5 | .vscode 6 | .idea 7 | 8 | library/ 9 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | os: linux 3 | dist: xenial 4 | language: python 5 | python: "3.8" 6 | before_install: 7 | - sudo apt-get update -qq 8 | - sudo apt-get install -qq python-apt python-pycurl git 9 | install: 10 | - pip install ansible 11 | - git clone https://github.com/bfmartin/ansible-sshknownhosts.git library/sshknownhosts 12 | script: 13 | - echo localhost > inventory 14 | - ln -s "$PWD" ../weareinteractive.ssh 15 | - ansible-playbook --version 16 | - ansible-playbook --syntax-check -i inventory tests/main.yml 17 | - ansible-playbook -i inventory tests/main.yml --connection=local --become -vvvv 18 | 19 | notifications: 20 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ 21 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | 2 | ### 1.4.1 () 3 | 4 | 5 | 6 | 7 | 8 | ### 1.3.2 (2020-05-21) 9 | 10 | 11 | #### Bug Fixes 12 | 13 | * only include default if no config provided ([44ecf820](https://github.com/weareinteractive/ansible-ssh/commit/44ecf820381fa127943069ed71dc6b18068cb7d6)) 14 | 15 | 16 | 17 | 18 | ### 1.3.1 (2019-10-17) 19 | 20 | 21 | 22 | 23 | 24 | ## 1.3.0 (2018-11-10) 25 | 26 | 27 | #### Features 28 | 29 | * add trusty vars ([f4460abc](https://github.com/weareinteractive/ansible-ssh/commit/f4460abcb7ef91a81fbd7ed12609559c6c446a8c)) 30 | * support additional and distribution specific config ([dfecfad0](https://github.com/weareinteractive/ansible-ssh/commit/dfecfad0e496d02cf66e3654b088b773aa70e715)) 31 | * change org name ([b4c0e26b](https://github.com/weareinteractive/ansible-ssh/commit/b4c0e26b75d6bdf3e61bed1496ee942ea221f33e)) 32 | * add CHANGELOG ([b0209500](https://github.com/weareinteractive/ansible-ssh/commit/b0209500c23b4ef079cb2edb12096f07a3e67d9e)) 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) We Are Interactive 2 | 3 | Permission is hereby granted, free of charge, to any person 4 | obtaining a copy of this software and associated documentation 5 | files (the "Software"), to deal in the Software without 6 | restriction, including without limitation the rights to use, 7 | copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | copies of the Software, and to permit persons to whom the 9 | Software is furnished to do so, subject to the following 10 | conditions: 11 | 12 | The above copyright notice and this permission notice shall be 13 | included in all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES 17 | OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 19 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 20 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 | FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | PWD=$(shell pwd) 2 | 3 | docs: 4 | ansible-role docgen 5 | 6 | lint: 7 | ansible-lint . 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible weareinteractive.ssh role 2 | 3 | [![Build Status](https://img.shields.io/travis/weareinteractive/ansible-ssh.svg)](https://travis-ci.com/weareinteractive/ansible-ssh) 4 | [![Galaxy](http://img.shields.io/badge/galaxy-weareinteractive.ssh-blue.svg)](https://galaxy.ansible.com/weareinteractive/ssh) 5 | [![GitHub Tags](https://img.shields.io/github/tag/weareinteractive/ansible-ssh.svg)](https://github.com/weareinteractive/ansible-ssh) 6 | [![GitHub Stars](https://img.shields.io/github/stars/weareinteractive/ansible-ssh.svg)](https://github.com/weareinteractive/ansible-ssh) 7 | 8 | > `weareinteractive.ssh` is an [Ansible](http://www.ansible.com) role which: 9 | > 10 | > * Installs OpenSSH (if required) 11 | > * Configures OpenSSH 12 | > * Ensures OpenSSH is running and started on boot 13 | 14 | **Note:** 15 | 16 | > Since Ansible Galaxy switched all role names to the organization name, this role has moved from `franklinkim.ssh` to `weareinteractive.ssh`! 17 | 18 | ## Installation 19 | 20 | Using `ansible-galaxy`: 21 | 22 | ```shell 23 | $ ansible-galaxy install weareinteractive.ssh 24 | ``` 25 | 26 | Using `requirements.yml`: 27 | 28 | ```yaml 29 | - src: weareinteractive.ssh 30 | ``` 31 | 32 | Using `git`: 33 | 34 | ```shell 35 | $ git clone https://github.com/weareinteractive/ansible-ssh.git weareinteractive.ssh 36 | ``` 37 | 38 | ## Dependencies 39 | 40 | * Ansible >= 2.9 41 | * [sshknownhosts](https://github.com/bfmartin/ansible-sshknownhosts) installed in your `ANSIBLE_LIBRARY` path (see [#4](https://github.com/weareinteractive/ansible-ssh/issues/4)), only required when the `ssh_known_hosts` list is used. 42 | 43 | ## Variables 44 | 45 | Here is a list of all the default variables for this role, which are also available in `defaults/main.yml`. 46 | 47 | ```yaml 48 | --- 49 | # For more information about default variables see: 50 | # http://www.ansibleworks.com/docs/playbooks_variables.html#id26 51 | # 52 | # ssh_known_hosts: 53 | # - github.com 54 | # ssh_config: 55 | # HostKey: 56 | # - /etc/ssh/ssh_host_rsa_key 57 | # - /etc/ssh/ssh_host_dsa_key 58 | # - /etc/ssh/ssh_host_ecdsa_key 59 | # - /etc/ssh/ssh_host_ed25519_key 60 | # ChallengeResponseAuthentication: "no" 61 | # UsePAM: "yes" 62 | # X11Forwarding: "yes" 63 | # PrintMotd: "no" 64 | # AcceptEnv: LANG LC_* 65 | # Subsystem: sftp /usr/lib/openssh/sftp-server 66 | # 67 | 68 | # variable fallback defaults 69 | # usually overridden from Play or distro specific vars file 70 | ssh_config: {} 71 | ssh_packages: [] 72 | ssh_service: sshd 73 | 74 | # DEPRICATION NOTICE: 75 | # use the `ssh_config` map @see var/DISTRIBUTION/VERSION.yml 76 | ssh_port: [22] 77 | ssh_protocol: 2 78 | ssh_listen_address: [] 79 | ssh_permit_root_login: 'yes' 80 | ssh_pubkey_authentication: 'yes' 81 | ssh_password_authentication: 'yes' 82 | 83 | # start on boot 84 | ssh_service_enabled: true 85 | # current state: started, stopped 86 | ssh_service_state: started 87 | # system wide known hosts 88 | ssh_known_hosts: [] 89 | 90 | ``` 91 | 92 | ## Handlers 93 | 94 | These are the handlers that are defined in `handlers/main.yml`. 95 | 96 | ```yaml 97 | --- 98 | # handlers for ssh role 99 | 100 | - name: restart ssh 101 | service: 102 | name: "{{ ssh_service }}" 103 | state: restarted 104 | when: ssh_service_state != 'stopped' 105 | 106 | ``` 107 | 108 | 109 | ## Usage 110 | 111 | This is an example playbook: 112 | 113 | ```yaml 114 | --- 115 | - hosts: all 116 | become: true 117 | roles: 118 | - weareinteractive.ssh 119 | vars: 120 | ssh_known_hosts: 121 | - github.com 122 | - bitbucket.org 123 | ssh_config: 124 | Port: 22 125 | Protocol: 2 126 | HostKey: 127 | - /etc/ssh/ssh_host_rsa_key 128 | - /etc/ssh/ssh_host_dsa_key 129 | - /etc/ssh/ssh_host_ecdsa_key 130 | - /etc/ssh/ssh_host_ed25519_key 131 | UsePrivilegeSeparation: "yes" 132 | KeyRegenerationInterval: 3600 133 | ServerKeyBits: 1024 134 | SyslogFacility: AUTH 135 | LogLevel: INFO 136 | LoginGraceTime: 120 137 | PermitRootLogin: "no" 138 | StrictModes: "yes" 139 | RSAAuthentication: "yes" 140 | PubkeyAuthentication: "yes" 141 | IgnoreRhosts: "yes" 142 | RhostsRSAAuthentication: "no" 143 | HostbasedAuthentication: "no" 144 | PermitEmptyPasswords: "no" 145 | ChallengeResponseAuthentication: "no" 146 | PasswordAuthentication: "yes" 147 | X11Forwarding: "yes" 148 | X11DisplayOffset: 10 149 | PrintMotd: "no" 150 | PrintLastLog: "yes" 151 | TCPKeepAlive: "yes" 152 | AcceptEnv: LANG LC_* 153 | Subsystem: sftp /usr/lib/openssh/sftp-server 154 | UsePAM: "yes" 155 | 156 | ``` 157 | 158 | 159 | ## Testing 160 | 161 | ```shell 162 | $ git clone https://github.com/weareinteractive/ansible-ssh.git 163 | $ cd ansible-ssh 164 | $ make test 165 | ``` 166 | 167 | ## Contributing 168 | In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality. 169 | 170 | 1. Fork it 171 | 2. Create your feature branch (`git checkout -b my-new-feature`) 172 | 3. Commit your changes (`git commit -am 'Add some feature'`) 173 | 4. Push to the branch (`git push origin my-new-feature`) 174 | 5. Create new Pull Request 175 | 176 | *Note: To update the `README.md` file please install and run `ansible-role`:* 177 | 178 | ```shell 179 | $ gem install ansible-role 180 | $ ansible-role docgen 181 | ``` 182 | 183 | ## License 184 | Copyright (c) We Are Interactive under the MIT license. 185 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | Vagrant.configure("2") do |config| 5 | config.vbguest.no_remote = true 6 | config.vbguest.auto_update = false 7 | 8 | config.vm.define 'bionic' do |instance| 9 | instance.vm.box = 'ubuntu/bionic64' 10 | end 11 | 12 | config.vm.define 'xenial' do |instance| 13 | instance.vm.box = 'ubuntu/xenial64' 14 | end 15 | 16 | config.vm.provision "shell", inline: <<-SHELL 17 | echo "Updating virtual machine..." 18 | sudo DEBIAN_FRONTEND=noninteractive apt-get update 19 | 20 | echo "Installing prerequisites..." 21 | sudo DEBIAN_FRONTEND=noninteractive apt-get install -y python 22 | SHELL 23 | 24 | # View the documentation for the provider you're using for more 25 | # information on available options. 26 | config.vm.provision "ansible" do |ansible| 27 | ansible.playbook = "tests/main.yml" 28 | ansible.verbose = 'vv' 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | roles_path=../ 3 | library=/usr/share/ansible:./library 4 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information about default variables see: 3 | # http://www.ansibleworks.com/docs/playbooks_variables.html#id26 4 | # 5 | # ssh_known_hosts: 6 | # - github.com 7 | # ssh_config: 8 | # HostKey: 9 | # - /etc/ssh/ssh_host_rsa_key 10 | # - /etc/ssh/ssh_host_dsa_key 11 | # - /etc/ssh/ssh_host_ecdsa_key 12 | # - /etc/ssh/ssh_host_ed25519_key 13 | # ChallengeResponseAuthentication: "no" 14 | # UsePAM: "yes" 15 | # X11Forwarding: "yes" 16 | # PrintMotd: "no" 17 | # AcceptEnv: LANG LC_* 18 | # Subsystem: sftp /usr/lib/openssh/sftp-server 19 | # 20 | 21 | # variable fallback defaults 22 | # usually overridden from Play or distro specific vars file 23 | ssh_config: {} 24 | ssh_packages: [] 25 | ssh_service: sshd 26 | 27 | # DEPRICATION NOTICE: 28 | # use the `ssh_config` map @see var/DISTRIBUTION/VERSION.yml 29 | ssh_port: [22] 30 | ssh_protocol: 2 31 | ssh_listen_address: [] 32 | ssh_permit_root_login: 'yes' 33 | ssh_pubkey_authentication: 'yes' 34 | ssh_password_authentication: 'yes' 35 | 36 | # start on boot 37 | ssh_service_enabled: true 38 | # current state: started, stopped 39 | ssh_service_state: started 40 | # system wide known hosts 41 | ssh_known_hosts: [] 42 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers for ssh role 3 | 4 | - name: restart ssh 5 | service: 6 | name: "{{ ssh_service }}" 7 | state: restarted 8 | when: ssh_service_state != 'stopped' 9 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | role_name: ssh 4 | author: weareinteractive 5 | company: We Are Interactive 6 | description: Configures ssh 7 | min_ansible_version: 2.9 8 | license: MIT 9 | # Optionally specify the branch Galaxy will use when accessing the GitHub 10 | # repo for this role. During role install, if no tags are available, 11 | # Galaxy will use this branch. During import Galaxy will access files on 12 | # this branch. If travis integration is cofigured, only notification for this 13 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 14 | # (usually master) will be used. 15 | github_branch: master 16 | # 17 | # Below are all platforms currently available. Just uncomment 18 | # the ones that apply to your role. If you don't see your 19 | # platform on this list, let us know and we'll get it added! 20 | # 21 | platforms: 22 | - name: Ubuntu 23 | versions: 24 | - all 25 | - name: Debian 26 | versions: 27 | - bullseye 28 | - name: OpenBSD 29 | versions: 30 | - 6.8 31 | - 6.9 32 | # 33 | # List tags for your role here, one per line. A tag is 34 | # a keyword that describes and categorizes the role. 35 | # Users find roles by searching for tags. Be sure to 36 | # remove the '[]' above if you add tags to this list. 37 | # 38 | # NOTE: A tag is limited to a single word comprised of 39 | # alphanumeric characters. Maximum 20 tags per role. 40 | galaxy_tags: 41 | - networking 42 | - system 43 | - ssh 44 | # List your role dependencies here, one per line. Only 45 | # dependencies available via galaxy should be listed here. 46 | # Be sure to remove the '[]' above if you add dependencies 47 | # to this list. 48 | dependencies: [] 49 | -------------------------------------------------------------------------------- /meta/readme.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | galaxy_name: weareinteractive.ssh 4 | github_user: weareinteractive 5 | github_name: ansible-ssh 6 | badges: | 7 | [![Build Status](https://img.shields.io/travis/weareinteractive/ansible-ssh.svg)](https://travis-ci.com/weareinteractive/ansible-ssh) 8 | [![Galaxy](http://img.shields.io/badge/galaxy-weareinteractive.ssh-blue.svg)](https://galaxy.ansible.com/weareinteractive/ssh) 9 | [![GitHub Tags](https://img.shields.io/github/tag/weareinteractive/ansible-ssh.svg)](https://github.com/weareinteractive/ansible-ssh) 10 | [![GitHub Stars](https://img.shields.io/github/stars/weareinteractive/ansible-ssh.svg)](https://github.com/weareinteractive/ansible-ssh) 11 | description: | 12 | > * Installs OpenSSH (if required) 13 | > * Configures OpenSSH 14 | > * Ensures OpenSSH is running and started on boot 15 | 16 | **Note:** 17 | 18 | > Since Ansible Galaxy switched all role names to the organization name, this role has moved from `franklinkim.ssh` to `weareinteractive.ssh`! 19 | after_dependencies: | 20 | * [sshknownhosts](https://github.com/bfmartin/ansible-sshknownhosts) installed in your `ANSIBLE_LIBRARY` path (see [#4](https://github.com/weareinteractive/ansible-ssh/issues/4)), only required when the `ssh_known_hosts` list is used. 21 | -------------------------------------------------------------------------------- /tasks/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Configuring sshd 3 | template: 4 | src: etc/ssh/sshd_config.j2 5 | dest: /etc/ssh/sshd_config 6 | backup: true 7 | owner: root 8 | group: "{{ sshd_config_group | default('root') }}" 9 | mode: "0644" 10 | notify: restart ssh 11 | -------------------------------------------------------------------------------- /tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Installing packages 4 | package: 5 | name: "{{ ssh_packages }}" 6 | state: present 7 | when: ssh_packages | length > 0 8 | -------------------------------------------------------------------------------- /tasks/known_hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Registering known hosts 4 | sshknownhosts: 5 | host: "{{ item.name if item.name is defined else item }}" 6 | loop: "{{ ssh_known_hosts }}" 7 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - import_tasks: vars.yml 4 | tags: 5 | - system 6 | - networking 7 | - ssh 8 | - ssh-vars 9 | 10 | - import_tasks: install.yml 11 | tags: 12 | - system 13 | - networking 14 | - ssh 15 | - ssh-install 16 | 17 | - import_tasks: config.yml 18 | tags: 19 | - system 20 | - networking 21 | - ssh 22 | - ssh-config 23 | 24 | - include_tasks: known_hosts.yml 25 | when: ssh_known_hosts | length > 0 26 | tags: 27 | - system 28 | - networking 29 | - ssh 30 | - ssh-known-hosts 31 | 32 | - import_tasks: service.yml 33 | tags: 34 | - system 35 | - networking 36 | - ssh 37 | - ssh-service 38 | -------------------------------------------------------------------------------- /tasks/service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Configuring service 4 | service: 5 | name: "{{ ssh_service }}" 6 | state: "{{ ssh_service_state }}" 7 | enabled: "{{ ssh_service_enabled }}" 8 | -------------------------------------------------------------------------------- /tasks/vars.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Including OS specific variables 4 | include_vars: "{{ lookup('first_found', params) }}" 5 | vars: 6 | params: 7 | errors: ignore 8 | files: 9 | - "{{ ansible_facts.distribution | lower }}/{{ ansible_facts.distribution_release }}.yml" 10 | - "{{ ansible_facts.distribution | lower }}.yml" 11 | paths: 12 | - 'vars' 13 | -------------------------------------------------------------------------------- /templates/etc/ssh/sshd_config.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | {% macro print_array(name, values=[]) -%} 4 | {% for value in values -%} 5 | {{ name }} {{ value }} 6 | {% endfor %} 7 | {% endmacro %} 8 | 9 | {% for key, value in ssh_config.items() -%} 10 | {% if value is string or value is number %} 11 | {{ key }} {{ value }} 12 | {% else %} 13 | {{ print_array(key, value) }} 14 | {% endif %} 15 | {% endfor %} 16 | 17 | 18 | -------------------------------------------------------------------------------- /tests/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: true 4 | roles: 5 | - weareinteractive.ssh 6 | vars: 7 | ssh_known_hosts: 8 | - github.com 9 | - bitbucket.org 10 | ssh_config: 11 | Port: 22 12 | Protocol: 2 13 | HostKey: 14 | - /etc/ssh/ssh_host_rsa_key 15 | - /etc/ssh/ssh_host_dsa_key 16 | - /etc/ssh/ssh_host_ecdsa_key 17 | - /etc/ssh/ssh_host_ed25519_key 18 | UsePrivilegeSeparation: "yes" 19 | KeyRegenerationInterval: 3600 20 | ServerKeyBits: 1024 21 | SyslogFacility: AUTH 22 | LogLevel: INFO 23 | LoginGraceTime: 120 24 | PermitRootLogin: "no" 25 | StrictModes: "yes" 26 | RSAAuthentication: "yes" 27 | PubkeyAuthentication: "yes" 28 | IgnoreRhosts: "yes" 29 | RhostsRSAAuthentication: "no" 30 | HostbasedAuthentication: "no" 31 | PermitEmptyPasswords: "no" 32 | ChallengeResponseAuthentication: "no" 33 | PasswordAuthentication: "yes" 34 | X11Forwarding: "yes" 35 | X11DisplayOffset: 10 36 | PrintMotd: "no" 37 | PrintLastLog: "yes" 38 | TCPKeepAlive: "yes" 39 | AcceptEnv: LANG LC_* 40 | Subsystem: sftp /usr/lib/openssh/sftp-server 41 | UsePAM: "yes" 42 | -------------------------------------------------------------------------------- /vars/debian/bullseye.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ssh_packages: 3 | - openssh-server 4 | - openssh-client 5 | - openssh-sftp-server 6 | 7 | ssh_service: ssh 8 | 9 | ssh_config: 10 | Include: /etc/ssh/sshd_config.d/*.conf 11 | ChallengeResponseAuthentication: "no" 12 | UsePAM: "yes" 13 | X11Forwarding: "yes" 14 | PrintMotd: "no" 15 | AcceptEnv: LANG LC_* 16 | Subsystem: sftp /usr/lib/openssh/sftp-server 17 | -------------------------------------------------------------------------------- /vars/openbsd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ssh_packages: [] 3 | ssh_service: sshd 4 | 5 | sshd_config_group: 'wheel' 6 | 7 | ssh_config: 8 | PermitRootLogin: "no" 9 | AuthorizedKeysFile: .ssh/authorized_keys 10 | Subsystem: sftp /usr/libexec/sftp-server 11 | -------------------------------------------------------------------------------- /vars/ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ssh_packages: 3 | - openssh-server 4 | - openssh-client 5 | 6 | ssh_service: ssh 7 | 8 | ssh_config: 9 | ChallengeResponseAuthentication: "no" 10 | UsePAM: "yes" 11 | X11Forwarding: "yes" 12 | PrintMotd: "no" 13 | AcceptEnv: LANG LC_* 14 | Subsystem: sftp /usr/lib/openssh/sftp-server 15 | -------------------------------------------------------------------------------- /vars/ubuntu/bionic.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ssh_packages: 3 | - openssh-server 4 | - openssh-client 5 | 6 | ssh_service: ssh 7 | 8 | ssh_config: 9 | Port: "{{ ssh_port }}" 10 | ListenAddress: "{{ ssh_listen_address }}" 11 | PermitRootLogin: "{{ ssh_permit_root_login }}" 12 | PubkeyAuthentication: "{{ ssh_pubkey_authentication }}" 13 | PasswordAuthentication: "{{ ssh_password_authentication }}" 14 | ChallengeResponseAuthentication: "no" 15 | UsePAM: "yes" 16 | X11Forwarding: "yes" 17 | PrintMotd: "no" 18 | AcceptEnv: LANG LC_* 19 | Subsystem: sftp /usr/lib/openssh/sftp-server 20 | -------------------------------------------------------------------------------- /vars/ubuntu/trusty.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ssh_packages: 3 | - openssh-server 4 | - openssh-client 5 | 6 | ssh_service: ssh 7 | 8 | ssh_config: 9 | Port: "{{ ssh_port }}" 10 | Protocol: "{{ ssh_protocol }}" 11 | ListenAddress: "{{ ssh_listen_address }}" 12 | HostKey: 13 | - /etc/ssh/ssh_host_rsa_key 14 | - /etc/ssh/ssh_host_dsa_key 15 | - /etc/ssh/ssh_host_ecdsa_key 16 | - /etc/ssh/ssh_host_ed25519_key 17 | UsePrivilegeSeparation: "yes" 18 | KeyRegenerationInterval: 3600 19 | ServerKeyBits: 1024 20 | SyslogFacility: AUTH 21 | LogLevel: INFO 22 | LoginGraceTime: 120 23 | PermitRootLogin: "{{ ssh_permit_root_login }}" 24 | StrictModes: "yes" 25 | RSAAuthentication: "yes" 26 | PubkeyAuthentication: "{{ ssh_pubkey_authentication }}" 27 | IgnoreRhosts: "yes" 28 | RhostsRSAAuthentication: "no" 29 | HostbasedAuthentication: "no" 30 | PermitEmptyPasswords: "no" 31 | ChallengeResponseAuthentication: "no" 32 | PasswordAuthentication: "{{ ssh_password_authentication }}" 33 | X11Forwarding: "yes" 34 | X11DisplayOffset: 10 35 | PrintMotd: "no" 36 | PrintLastLog: "yes" 37 | TCPKeepAlive: "yes" 38 | AcceptEnv: LANG LC_* 39 | Subsystem: sftp /usr/lib/openssh/sftp-server 40 | UsePAM: "yes" 41 | -------------------------------------------------------------------------------- /vars/ubuntu/xenial.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ssh_packages: 3 | - openssh-server 4 | - openssh-client 5 | 6 | ssh_service: ssh 7 | 8 | ssh_config: 9 | Port: "{{ ssh_port }}" 10 | Protocol: "{{ ssh_protocol }}" 11 | ListenAddress: "{{ ssh_listen_address }}" 12 | HostKey: 13 | - /etc/ssh/ssh_host_rsa_key 14 | - /etc/ssh/ssh_host_dsa_key 15 | - /etc/ssh/ssh_host_ecdsa_key 16 | - /etc/ssh/ssh_host_ed25519_key 17 | UsePrivilegeSeparation: "yes" 18 | KeyRegenerationInterval: 3600 19 | ServerKeyBits: 1024 20 | SyslogFacility: AUTH 21 | LogLevel: INFO 22 | LoginGraceTime: 120 23 | PermitRootLogin: "{{ ssh_permit_root_login }}" 24 | StrictModes: "yes" 25 | RSAAuthentication: "yes" 26 | PubkeyAuthentication: "{{ ssh_pubkey_authentication }}" 27 | IgnoreRhosts: "yes" 28 | RhostsRSAAuthentication: "no" 29 | HostbasedAuthentication: "no" 30 | PermitEmptyPasswords: "no" 31 | ChallengeResponseAuthentication: "no" 32 | PasswordAuthentication: "{{ ssh_password_authentication }}" 33 | X11Forwarding: "yes" 34 | X11DisplayOffset: 10 35 | PrintMotd: "no" 36 | PrintLastLog: "yes" 37 | TCPKeepAlive: "yes" 38 | AcceptEnv: LANG LC_* 39 | Subsystem: sftp /usr/lib/openssh/sftp-server 40 | UsePAM: "yes" 41 | --------------------------------------------------------------------------------