Ansible Role: OpenSSH

An Ansible role that installs and configures OpenSSH.

Requirements
Role Variables
Dependencies
Example Playbook
- Top-Level Playbook
- Role Dependency
License
Author Information

Requirements

None.

Role Variables

ssh_host_keys:
  - /etc/ssh/ssh_host_ed25519_key

ssh_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_kex_algorithms:
  - curve25519-sha256
  - curve25519-sha256@libssh.org
  - diffie-hellman-group18-sha512
  - diffie-hellman-group16-sha512
  - diffie-hellman-group14-sha256
  - diffie-hellman-group-exchange-sha256

ssh_macs:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com

ssh_log_level: VERBOSE

# possible values: prohibit-password, yes, no
# note: this must be string not bool, so you need to quote 'yes' and 'no'
ssh_permit_root_login: 'no'

ssh_strict_modes: yes

ssh_pubkey_authentication: yes

ssh_pubkey_accepted_key_types:
  - ssh-ed25519

ssh_password_authentication: yes

ssh_permit_empty_password: no

ssh_challenge_response_authentication: yes

ssh_gssapi_authentication: no

ssh_gssapi_cleanup_credentials: yes

ssh_agent_forwarding: yes

ssh_tcp_forwarding: yes

ssh_x11_forwarding: no

ssh_banner:
  src: path/to/local/ssh-banner
  dest: /etc/ssh/banner

ssh_subsystems:
  - name: sftp
    command: /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

For more information, read man 5 sshd_config.

Known Hosts

ssh_known_hosts:

  - aliases:
      - login1.example.com
      - login1
      - a.b.c.d
    type: ssh-ed25519
    key: xxx

  - aliases:
      - login2.example.com
      - login2
      - a.b.c.d
    type: ssh-ed25519
    key: xxx

Authorized Keys and User Management

ssh_users:

  - name: alice
    authorized_keys: |
      ssh-ed25519 xxx alice@workstation
      ssh-ed25519 xxx alice@laptop
    settings:
      AuthenticationMethods: publickey

  - name: bob
    authorized_keys: |
      ssh-ed25519 xxx bob@workstation
      ssh-ed25519 xxx bob@laptop
    settings:
      AuthenticationMethods: publickey

Moduli

To configure the minimum modulus for /etc/ssh/moduli:

ssh_modulus_min: 3071

Dependencies

None.

Example Playbook

Add to requirements.yml:

---

- src: idiv-biodiversity.ssh

...

Download:

$ ansible-galaxy install -r requirements.yml

Top-Level Playbook

Write a top-level playbook:

---

- name: head server
  hosts: heads

  roles:
    - role: idiv-biodiversity.ssh
      tags:
        - ssh

...

Role Dependency

Define the role dependency in meta/main.yml:

---

dependencies:

  - role: idiv-biodiversity.ssh
    tags:
      - ssh

...

License

MIT

Author Information

This role was created in 2019 by Christian Krause aka wookietreiber at GitHub, HPC cluster systems administrator at the German Centre for Integrative Biodiversity Research (iDiv).

tazend / ansible-role-ssh