Ansible Role sshd

This role deploys /etc/ssh/sshd_config for OpenSSH (the standard SSH server on Linux). It exposes the most commonly tuned options as variables (port, address family, password / GSSAPI / root login, log level, sftp subsystem) plus a sshd__raw escape hatch for Match blocks etc.

Note that the role does not make use of /etc/ssh/sshd_config.d/ since not all options can be overwritten there (e.g. Subsystem 'sftp' already defined); the full sshd_config is templated instead.

Available since LFOps 2.0.0.

Mandatory Requirements

  • Install Python 3, and the python3-policycoreutils module (required for the SELinux Ansible tasks). This can be done using the linuxfabrik.lfops.policycoreutils role.

Tags

sshd

  • Configures sshd.

  • Triggers: sshd: sshd -t; reload sshd.

sshd:state

  • Manages the state of the sshd systemd service.

  • Triggers: none.

Optional Role Variables

sshd__address_family

  • Specifies which address family should be used. Possible options: any, inet (use IPv4 only) or inet6 (use IPv6 only).

  • Type: String.

  • Default: 'any'

sshd__gssapi_authentication

  • Specifies whether user authentication based on GSSAPI is allowed.

  • Type: Bool.

  • Default: true

sshd__log_level

  • Sets the log level.

  • Type: String.

  • Default: 'INFO'

sshd__password_authentication

  • Specifies whether password authentication is allowed.

  • Type: Bool.

  • Default: false

sshd__permit_root_login

  • Specifies whether root can log in using ssh. Possible options: yes, prohibit-password, forced-commands-only, no.

  • Type: String.

  • Default: 'yes'

sshd__port

  • Which port the sshd server should use.

  • Type: Number.

  • Default: 22

sshd__raw

  • Raw (user-defined) SSH-Config. Will be placed at the end of the /etc/ssh/sshd_config file. Useful for Match directives.

  • Type: String.

  • Default: unset

sshd__service_enabled

  • Enables or disables the sshd service, analogous to systemctl enable/disable.

  • Type: Bool.

  • Default: true

sshd__service_state

  • Changes the state of the sshd service, analogous to systemctl start/stop/restart/reload. Possible options: started, stopped, restarted, reloaded.

  • Type: String.

  • Default: 'started'

sshd__sftp_subsystem

  • Which command should be used for the sftp subsystem.

  • Type: String.

  • Default: RHEL: '/usr/libexec/openssh/sftp-server', Debian: '/usr/lib/openssh/sftp-server'

sshd__use_dns

  • Specifies whether sshd should look up the remote hostname, and to check that the resolved host name for the remote IP address maps back to the very same IP address.

  • Type: Bool.

  • Default: false

Example:

# optional
sshd__address_family: 'inet'
sshd__gssapi_authentication: false
sshd__log_level: 'INFO'
sshd__password_authentication: false
sshd__permit_root_login: 'yes'
sshd__port: 22
sshd__raw: |-
  Match Group sftpusers
    ChrootDirectory /data
    DisableForwarding yes
    ForceCommand internal-sftp
sshd__service_enabled: true
sshd__service_state: 'started'
sshd__use_dns: false

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich