An Ansible role that installs and configures OpenSSH.
None.
ssh_host_keys:
- /etc/ssh/ssh_host_ed25519_key
ssh_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_kex_algorithms:
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group18-sha512
- diffie-hellman-group16-sha512
- diffie-hellman-group14-sha256
- diffie-hellman-group-exchange-sha256
ssh_macs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- umac-128-etm@openssh.com
ssh_log_level: VERBOSE
# possible values: prohibit-password, yes, no
# note: this must be string not bool, so you need to quote 'yes' and 'no'
ssh_permit_root_login: 'no'
ssh_strict_modes: yes
ssh_pubkey_authentication: yes
ssh_pubkey_accepted_key_types:
- ssh-ed25519
ssh_password_authentication: yes
ssh_permit_empty_password: no
ssh_challenge_response_authentication: yes
ssh_gssapi_authentication: no
ssh_gssapi_cleanup_credentials: yes
ssh_agent_forwarding: yes
ssh_tcp_forwarding: yes
ssh_x11_forwarding: no
ssh_banner: /etc/ssh/banner
ssh_subsystems:
- name: sftp
command: /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
For more information, read man 5 sshd_config
.
ssh_known_hosts:
- aliases:
- login1.example.com
- login1
- a.b.c.d
type: ssh-ed25519
key: xxx
- aliases:
- login2.example.com
- login2
- a.b.c.d
type: ssh-ed25519
key: xxx
ssh_users:
- name: alice
authorized_keys: |
ssh-ed25519 xxx alice@workstation
ssh-ed25519 xxx alice@laptop
settings:
AuthenticationMethods: publickey
- name: bob
authorized_keys: |
ssh-ed25519 xxx bob@workstation
ssh-ed25519 xxx bob@laptop
settings:
AuthenticationMethods: publickey
To configure the minimum modulus for /etc/ssh/moduli
:
ssh_modulus_min: 3071
None.
Add to requirements.yml
:
---
- src: idiv-biodiversity.ssh
...
Download:
$ ansible-galaxy install -r requirements.yml
Write a top-level playbook:
---
- name: head server
hosts: heads
roles:
- role: idiv-biodiversity.ssh
tags:
- ssh
...
Define the role dependency in meta/main.yml
:
---
dependencies:
- role: idiv-biodiversity.ssh
tags:
- ssh
...
MIT
This role was created in 2019 by Christian Krause aka wookietreiber at GitHub, HPC cluster systems administrator at the German Centre for Integrative Biodiversity Research (iDiv).