Sensible and secure defaults for OpenSSH server.
The defaults provided in this role are compliant with the Mozilla Modern for OpenSSH 6.7+
If you are running this role with older versions of OpenSSH, such as version 5.3 on RHEL or CentOS 6, you will need to override the defaults elsewhere (i.e. in your group_vars
or host_vars
). Below are a few Mozzila recommendations.
This is the default in this role.
openssh_kexalgorithms:
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
openssh_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
openssh_macs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- umac-128@openssh.com
openssh_hostkeys:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
ssh_kexalgorithms:
- diffie-hellman-group-exchange-sha256
ssh_ciphers:
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_macs:
- hmac-sha2-512
- hmac-sha2-256