Ansible Role sshd
This role ensures that sshd is configured. Do not apply this role if you want to configure Crypto Policies via linuxfabrik.lfops.crypto_policy (using Crypto Policies is recommended).
Runs on
RHEL 7 (and compatible)
RHEL 8 (and compatible)
RHEL 9 (and compatible)
Mandatory Requirements
Install Python 3, and the python3-policycoreutils module (required for the SELinux Ansible tasks). This can be done using the linuxfabrik.lfops.policycoreutils role.
Optional Role Variables
Variable |
Description |
Default Value |
---|---|---|
|
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. |
|
|
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. |
|
|
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. |
|
|
Specifies whether password authentication is allowed. |
|
|
Specifies whether root can log in using ssh. Possible options: |
|
|
Which port the sshd server should use. |
|
|
Enables or disables the sshd service, analogous to |
|
|
Changes the state of the sshd service, analogous to |
|
|
Specifies whether sshd should look up the remote hostname, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
|
Example:
# optional
sshd__ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
sshd__kex: 'curve25519-sha256@libssh.org'
sshd__macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
sshd__password_authentication: false
sshd__permit_root_login: 'yes'
sshd__port: 22
sshd__service_enabled: true
sshd__service_state: 'started'
sshd__use_dns: false