diff --git a/slococo/playground/roles/ssh_config/handlers/main.yml b/slococo/playground/roles/ssh_config/handlers/main.yml index dc0c18d..73b314f 100644 --- a/slococo/playground/roles/ssh_config/handlers/main.yml +++ b/slococo/playground/roles/ssh_config/handlers/main.yml @@ -1,5 +1 @@ ---- -- name: Restart SSH Service - ansible.builtin.service: - name: sshd - state: restarted \ No newline at end of file +--- \ No newline at end of file diff --git a/slococo/playground/roles/ssh_config/tasks/main.yml b/slococo/playground/roles/ssh_config/tasks/main.yml index 32e8280..8e887ec 100644 --- a/slococo/playground/roles/ssh_config/tasks/main.yml +++ b/slococo/playground/roles/ssh_config/tasks/main.yml @@ -5,12 +5,19 @@ regexp: "[^#]{{ item.key }}.*" line: "{{ item.key }} {{ item.value }}" state: present + validate: "sshd -t -f %s" loop: "{{ sshd_options | dict2items }}" register: sshd_config become: true -- name: Ensure SSH daemon configuration is consistent - ansible.builtin.command: sshd -t -f /etc/ssh/sshd_config - changed_when: sshd_config.changed - notify: Restart SSH Service - become: true +- name: Restart SSH service + ansible.builtin.service: + name: sshd + state: restarted + when: sshd_config.changed + +# - name: Ensure SSH daemon configuration is consistent +# ansible.builtin.command: sshd -t -f /etc/ssh/sshd_config +# changed_when: sshd_config.changed +# notify: Restart SSH Service +# become: true diff --git a/slococo/playground/roles/ssh_config/tasks/sshd_config b/slococo/playground/roles/ssh_config/tasks/sshd_config new file mode 100644 index 0000000..e68967d --- /dev/null +++ b/slococo/playground/roles/ssh_config/tasks/sshd_config @@ -0,0 +1,148 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# This system is following system-wide crypto policy. The changes to +# crypto properties (Ciphers, MACs, ...) will not have any effect here. +# They will be overridden by command-line options passed to the server +# on command line. +# Please, check manual pages for update-crypto-policies(8) and sshd_config(5). + +# Logging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PermitEmptyPasswords no +PasswordAuthentication no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +PasswordAuthentication yesCACA +# PAM authentication via ChallengeResponseAuthentication may bypass +PermitRootLogin no +# If you just want the PAM account and session checks to run without +#PasswordAuthentication yes +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes + +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, +# as it is more configurable and versatile than the built-in version. +PrintMotd no + +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +PasswordAuthentication noCACA +PermitEmptyPasswords noCACA +PermitRootLogin noCACA