{"id":15569243,"url":"https://github.com/elnappo/ansible-role-secure-openssh-server","last_synced_at":"2025-10-07T20:08:28.161Z","repository":{"id":25624814,"uuid":"29060068","full_name":"elnappo/ansible-role-secure-openssh-server","owner":"elnappo","description":"Set up a secure config for OpenSSH Server  \u003e= 6.5","archived":false,"fork":false,"pushed_at":"2019-12-10T13:56:02.000Z","size":25,"stargazers_count":5,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-09-12T12:01:04.922Z","etag":null,"topics":["ansible","ansible-role","openssh-server"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elnappo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-10T14:47:26.000Z","updated_at":"2025-05-13T10:41:10.000Z","dependencies_parsed_at":"2022-08-23T09:31:18.868Z","dependency_job_id":null,"html_url":"https://github.com/elnappo/ansible-role-secure-openssh-server","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/elnappo/ansible-role-secure-openssh-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elnappo%2Fansible-role-secure-openssh-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elnappo%2Fansible-role-secure-openssh-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elnappo%2Fansible-role-secure-openssh-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elnappo%2Fansible-role-secure-openssh-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elnappo","download_url":"https://codeload.github.com/elnappo/ansible-role-secure-openssh-server/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elnappo%2Fansible-role-secure-openssh-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278838434,"owners_count":26054720,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","openssh-server"],"created_at":"2024-10-02T17:23:39.908Z","updated_at":"2025-10-07T20:08:28.145Z","avatar_url":"https://github.com/elnappo.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ansible-role-secure-openssh-server\n[![Build Status](https://travis-ci.org/elnappo/ansible-role-secure-openssh-server.svg?branch=master)](https://travis-ci.org/elnappo/ansible-role-secure-openssh-server) [![Ansible Galaxy](https://img.shields.io/badge/galaxy-elnappo.secure--openssh--server-blue.svg?style=flat)](https://galaxy.ansible.com/elnappo/secure-openssh-server/)\n\nSet up a secure config for OpenSSH Server \u003e= 6.5. This playbook extends your sshd config file instead of replacing it.\n\n* Disable SSH version 1\n* Disable RSAAuthentication (only available in version 1)\n* Don't allow empty passwords\n* Allow root login only without password\n* Use StrictModes\n* Allow only KexAlgorithms, Ciphers and MACs which where recommended by [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)\n* Removes DSA and ECDSA host keys by default. Change `ssh_remove_deprecated_server_keys` if this is not what you want\n* Regenerates RSA host key if shorter than 4096 bits (default)\n* Disable password login by default which also sets `MaxAuthTries 1` and `LoginGraceTime 30`\nshields.io\n#### Recommended `~/.ssh/config`, `/etc/ssh/ssh_config`\n```\nHost *\n    HashKnownHosts yes\n    PasswordAuthentication no\n    PubkeyAuthentication yes\n    ChallengeResponseAuthentication no\n    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\n    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n```\n\nalias for legacy connections: `alias ssh_ignore=\"ssh -F /dev/null\"`\n\n## Inspired by\n* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)\n* [Mozilla Wiki - Security/Guidelines/OpenSSH](https://wiki.mozilla.org/Security/Guidelines/OpenSSH)\n* [BetterCrypto](https://github.com/BetterCrypto/Applied-Crypto-Hardening)\n* [Manpage sshd_config](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5)\n\n## Requirements\n* Ubuntu or Debian\n* OpenSSH Server \u003e= 6.5 (which is in Ubuntu \u003e= 14.04 and Debian \u003e= 8)\n\n## Role Variables\n* `ssh_sshd_config_dir: /etc/ssh/`\n* `ssh_sshd_config_path: \"{{ ssh_sshd_config_dir }}sshd_config\"`\n* `ssh_permit_root_login: \"without-password\"` quotes are mandatory!\n* `ssh_disable_password_login: true`\n* `ssh_remove_deprecated_server_keys: true` disables DSA, ECDSA and regenerate RSA key if \u003c`ssh_host_rsa_key_length`\n* `ssh_host_rsa_key_length: 4096`\n* `ssh_setup_ufw: true`\n* `ssh_port: 22`\n\n## Dependencies\nNone.\n\n## Example Playbook\n\n```yaml\n- hosts: server\n  remote_user: root\n  vars:\n    - ssh_remove_deprecated_server_keys: false\n    - ssh_port: 1813\n  roles:\n    - { role: elnappo.secure_openssh_server }\n```\n\n## License\nMIT\n\n## Author Information\nelnappo \u003celnappo@nerdpol.io\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felnappo%2Fansible-role-secure-openssh-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felnappo%2Fansible-role-secure-openssh-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felnappo%2Fansible-role-secure-openssh-server/lists"}