An Ansible role that manages ssh and sshd. Currently the role has the following features:

• Install sshd server and SSH clients
• Manage server config settings in /etc/ssh/sshd_config, see role variables
• Manage SSH client config settings in /etc/ssh/ssh_config, see role variables
• Support global known hosts files for ssh clients (/etc/ssh/ssh_config)

No prerequisites necessary at the moment.

Available variables are listed below, along with default values (see also defaults/main.yml as well as man sshd_config):

ssh_manage_sshd: true

Specifies whether the sshd service should be managed by this role or not. Usually this is left to true, but might be temporarily set to false when this is needed.

ssh_manage_motd_file: false

Specifies whether to craft a custom /etc/motd file showing some system informations like OS name/version, IP addresses and CPU and memory information. If set to false, the file /etc/motd is not modified, if set to true the file is managed an updated if needed.

ssh_port: "22"

Specifies the port number that sshd listens on. If you want to change the port on a SELinux system, you have to tell SELinux about this change, for example: semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

ssh_address_family: "inet"

Specifies which address family should be used by sshd. Valid arguments are any (the default), inet (use IPv4 only), or inet6 (use IPv6 only). Specifies which address family should be used by sshd. The default is IPv4 only.

ssh_permit_root_login: "prohibit-password"

Specifies whether root can log in using ssh. The argument must be one of yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password, which disables password and keyboard-interactive authentication for root.

ssh_syslogfacility: ""

Gives the facility code that is used when logging messages from sshd. The default is OS-dependent, e.g. AUTHPRIV for Enterprise Linux and AUTH for Ubuntu. For possible values see man sshd_config.

ssh_use_pam: "yes"

Enables the Pluggable Authentication Module interface. See man sshd_config for detailed information. This defaults to yes as having this set to no is not supported in RHEL!

ssh_password_auth: "no"

Specifies whether password authentication is allowed. Leave this to no when using PAM. Default to no to disable tunneled clear text passwords.

ssh_kbdinteractive: "yes"

Specifies whether to allow keyboard-interactive authentication.

ssh_gssapi_auth: "no"

Specifies whether user authentication based on GSSAPI is allowed.

ssh_pubkey_auth: "yes"

Specifies whether public key authentication is allowed.

ssh_x11_forwarding: "yes"

Specifies whether X11 forwarding is permitted.

ssh_permit_tunnel: "no"

Specifies whether tun device forwarding is allowed.

ssh_maxstartups: "10:30:100"

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. The role features the OpenSSH default value. Overriding this option is rarely needed but then important, like for the GPFS file system daemon that may rapidly spawn a lot of SSH connections and therefore needs this option set to 1024.

ssh_use_dns: "no"

Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys.

ssh_sftp_server: ""

Configures an external sftp server. By default, when set to an empty value, the external command sftp-server is used, for which the path is OS-dependent. Override this config value if you want to use another sftp server, i.e. internal-sftp for the in-process SFTP server.

ssh_allowusers: []

This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns.

ssh_allowgroups: []

This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.

ssh_global_known_hosts: []

Specifies one or more files to use for the global host key database, separated by whitespace.

ssh_crypto_hostkey_algos: []

This role configures only secure algorithms by default in order to have ssh-audit pass with all green. Use this variable to override the host key algorithms that this role defines by defaults. See vars/*.yml for details.

ssh_crypto_kex_algos: []

This role configures only secure algorithms by default in order to have ssh-audit pass with all green. Use this variable to override the key exchange algorithms that this role defines by defaults. See vars/*.yml for details.

ssh_crypto_ciphers: []

This role configures only secure algorithms by default in order to have ssh-audit pass with all green. Use this variable to override the encryption algorithms that this role defines by defaults. See vars/*.yml for details.

ssh_crypto_macs: []

This role configures only secure algorithms by default in order to have ssh-audit pass with all green. Use this variable to override the message authentication code algorithms that this role defines by defaults. See vars/*.yml for details.

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- hosts: servers
  roles:
     - role: unibeid.ssh
       vars:
         ssh_port: "42"

This role has been written for and tested on and is therefore compatible with:

• CentOS-7
• Rocky-8
• Rocky-9
• Ubuntu-20.04
• Ubuntu-22.04

This role has no dependencies.

MIT

The role was created in 2023 by the IT-Services Office of the University of Bern