{"id":16130034,"url":"https://github.com/jomrr/ansible-role-openssh","last_synced_at":"2025-07-21T06:32:15.793Z","repository":{"id":196777696,"uuid":"193282543","full_name":"jomrr/ansible-role-openssh","owner":"jomrr","description":"Ansible role for setting up OpenSSH.","archived":false,"fork":false,"pushed_at":"2025-06-02T21:02:08.000Z","size":113,"stargazers_count":2,"open_issues_count":3,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-03T11:09:59.181Z","etag":null,"topics":["ansible","ansible-role","openssh","openssh-client","openssh-config","openssh-server"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jomrr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-06-22T21:55:21.000Z","updated_at":"2024-07-14T11:41:20.000Z","dependencies_parsed_at":"2024-10-09T22:13:55.691Z","dependency_job_id":"639165c2-9415-4ae8-9713-e05ae761e2a1","html_url":"https://github.com/jomrr/ansible-role-openssh","commit_stats":null,"previous_names":["jam82/ansible-role-ssh","jomrr/ansible-role-ssh","jomrr/ansible-role-openssh"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jomrr/ansible-role-openssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomrr%2Fansible-role-openssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomrr%2Fansible-role-openssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomrr%2Fansible-role-openssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomrr%2Fansible-role-openssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jomrr","download_url":"https://codeload.github.com/jomrr/ansible-role-openssh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomrr%2Fansible-role-openssh/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266253499,"owners_count":23900051,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","openssh","openssh-client","openssh-config","openssh-server"],"created_at":"2024-10-09T22:14:16.304Z","updated_at":"2025-07-21T06:32:15.741Z","avatar_url":"https://github.com/jomrr.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ansible-role-ssh [![Build Status](https://travis-ci.org/jam82/ansible-role-ssh.svg?branch=master)](https://travis-ci.org/jam82/ansible-role-ssh)\n\nAnsible role for setting up openssh.\n\n- **ansible-role-ssh**\n  - [Supported Platforms](#supported-platforms)\n  - [Requirements](#requirements)\n  - [Defaults and Variables](#defaults-and-variables)\n    - [defaults/main/main.yml](#defaultsmainmainyml)\n    - [defaults/main/ssh.yml](#defaultsmainsshyml)\n    - [defaults/main/sshd.yml](#defaultsmainsshdyml)\n    - [defaults/main/sshd_authentication.yml](#defaultsmainsshdauthenticationyml)\n    - [defaults/main/sshd_directives.yml](#defaultsmainsshddirectivesyml)\n    - [defaults/main/sshd_gssapi.yml](#defaultsmainsshdgssapiyml)\n    - [defaults/main/sshd_kerberos.yml](#defaultsmainsshdkerberosyml)\n  - [Dependencies](#dependencies)\n  - [Scenarios and example playbooks](#scenarios-and-example-playbooks)\n    - [Running on localhost](#running-on-localhost)\n    - [Public Key Authentication only for remote host](#public-key-authentication-only-for-remote-host)\n  - [License and Author](#license-and-author)\n  - [References](#references)\n\n## Supported Platforms\n\n- Amazon Linux 2\n- Archlinux\n- Centos 7, 8\n- Debian 9, 10\n- Raspbian 9, 10\n- OpenSuse Leap 15\n- OpenSuse Tumbleweed\n- Oracle Linux 7, 8\n- Ubuntu 16.04, 18.04, 20.04\n\n## Requirements\n\nAnsible 2.7 or higher is required for defaults/main/*.yml to work.\n\nOpenSSH Version 6.3 or above for `ssh -Q` to work.\n\n## Defaults and Variables\n\nThe default values for all variables are stored in the following files:\n\n- defaults/main/main.yml\n- defaults/main/ssh.yml\n- defaults/main/sshd.yml\n- defaults/main/sshd_authentication.yml\n- defaults/main/sshd_directives.yml\n- defaults/main/sshd_gssapi.yml\n- defaults/main/sshd_hostbased.yml\n- defaults/main/sshd_kerberos.yml\n\n### defaults/main/main.yml\n\nThe file main.yml contains variables with defaults values that affect both, ssh client and sshd (the server).\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n| ssh_enabled | false | determine whether role is enabled (true) or not (false) |\n\nThe set of allowed algorithms is stored in the dict ssh_algorithms and is used to intersect with the detected supported algorithms:\n\n```yaml\nssh_algorithms:\n  ciphers:\n    - chacha20-poly1305@openssh.com\n    - aes256-gcm@openssh.com\n    - aes128-gcm@openssh.com\n    - aes256-ctr\n    - aes192-ctr\n    - aes128-ctr\n  kexs:\n    - sntrup4591761x25519-sha512@tinyssh.org\n    - curve25519-sha256@libssh.org\n    - curve25519-sha256\n    - diffie-hellman-group18-sha512\n    - diffie-hellman-group16-sha512\n    - diffie-hellman-group14-sha256\n    - diffie-hellman-group-exchange-sha256\n  hostkeys:\n    - ssh-ed25519-cert-v01@openssh.com\n    - rsa-sha2-512-cert-v01@openssh.com\n    - rsa-sha2-256-cert-v01@openssh.com\n    - ssh-ed25519\n    - rsa-sha2-512\n    - rsa-sha2-256\n  macs:\n    - hmac-sha2-512-etm@openssh.com\n    - hmac-sha2-256-etm@openssh.com\n    - umac-128-etm@openssh.com\n    - hmac-sha2-512\n    - hmac-sha2-256\n```\n\n### defaults/main/ssh.yml\n\nThis file is for /etc/ssh/ssh_config default settings.\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n| ssh_enabled | True | enable configuration of /etc/ssh/ssh_config |\n| ssh_deploy_key | '~/.ssh/id_ed25519.pub' | local publickey that is added to remote users authorized_keys file, so you do not lock yourself out, because the default configuration of this role is to only allow pubkey authentication. |\n| ssh_conf_backup | 'no' | create a backup when replacing /etc/ssh/ssh_config |\n| ssh_host_config | {} | host specific configuration, see example after table. |\n| ssh_port | '22' | default port ssh tries to connect to |\n| ssh_address_family | 'inet' | address family type |\n| ssh_challenge_response_authentication | 'yes' | Enable challenge response (keyboard-interactive) authentication |\n| ssh_enable_ssh_keysign | 'no' | Enable ssh-keysign, must be enabled on a client, if you want to do hostbased authentication |\n| ssh_gssapi_authentication | 'no' | Enable GSSAPI authentication |\n| ssh_hostbased_authentication | 'no' | Enable hostbased authentication |\n| ssh_identity_files | [ '\\~/.ssh/identity', '\\~/.ssh/id_rsa', '\\~/.ssh/id_ed25519' ] | List of paths where ssh looks for identity files |\n| ssh_password_authentication | 'yes' | Enable password authentication |\n| ssh_pubkey_authentication | 'yes' | Enable public key athentication |\n| ssh_rekey_limit_data | '512M' | Rekey limit (data), this is after 512M of data exchanged |\n| ssh_rekey_limit_time | '1800' | Rekey limit (time), this is after 1800 seconds |\n| ssh_strict_host_key_checking | 'ask' | Enable strict host key checking (known_hosts) |\n| ssh_test_create_key | False | This should be left to False, as it is used for testing only. When True, then an ssh key is generated for the remote user root and added to his authorized_keys file. In the pytest module `test_sshd.py` this is used to perform a login with `ssh -q localhost exit` to check if pubkey authentication is working. |\n\n```yaml\nssh_host_config:\n  testhost.example.com:\n    X11Forwarding: 'yes'\n    GSSAPIAuthentication: 'yes'\n```\n\n### defaults/main/sshd.yml\n\nThis file is for general /etc/ssh/sshd_config default settings.\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n| sshd_enabled | true | enable configuration of /etc/ssh/sshd_config |\n| sshd_moduli_file | '/etc/ssh/moduli' | location of DH moduli file |\n| sshd_moduli_minimum | 3072 | minimum length od DH parameters |\n| sshd_host_key_regenerate | false | regenerate ssh host keys |\n| sshd_rsa_keylength | 4096 | length of RSA keys that are created by the role |\n| sshd_port | 22 | sshd listen port |\n| sshd_address_family | 'inet' | sshd address family |\n| sshd_listen_addr_v4 | [ \"{{ ansible_default_ipv4.address \\| default(ansible_all_ipv4_addresses[0]) }}\" ] | IPv4 interface addresses sshd binds to |\n| sshd_listen_addr_v6 | [] | IPv6 interface addresses sshd binds to |\n\n... and many more tbd.\n\n### defaults/main/sshd_authentication.yml\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n| sshd_login_grace_time | '60' | time to wait for login in seconds |\n| sshd_permit_root_login | 'no' |  |\n| sshd_max_auth_tries | 3 |  |\n| sshd_max_sessions | 3 |  |\n| sshd_pubkey_auth | 'yes' |  |\n| sshd_authorized_keys_file | '%h/.ssh/authorized_keys' | |\n| sshd_password_auth | 'no' | |\n| sshd_challenge_auth | 'no' | |\n| sshd_use_pam | 'yes' | With password and challenge response auth disabled, this runs pam session checks without pam authentication.  |\n| sshd_use_dns | 'yes' | Look up the remote host name and check that the resolved host name or the remote IP address maps back to the very same IP address. |\n\n### defaults/main/sshd_directives.yml\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n| sshd_deny_users | [] | Deny ssh login for listed users. |\n| sshd_allow_users | [] | Allow ssh login for listed users only. |\n| sshd_deny_groups | [] | Deny ssh login for listed groups. |\n| sshd_allow_groups | [] | Allow ssh login for listed groups only. |\n| sshd_per_group_settings | {} | Group specific settings defined via `Match Group` directive. |\n| sshd_per_user_settings | {} | User specific settings defined via `Match User` directive. |\n\n### defaults/main/sshd_gssapi.yml\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n\n### defaults/main/sshd_kerberos.yml\n\n| variable | default value | description |\n| -------- | ------------- | ----------- |\n\n## Dependencies\n\nNone.\n\n## Scenarios and example playbooks\n\nThis role by default configures pubkey authentication only, using reasonably secure settings. If you find a flaw, please feel free to comment.\n\n### Running on localhost\n\n### Public Key Authentication only for remote host\n\nThis one is the easiest, just generate a local ssh key with\n\n```shell\nssh-keygen -t ed25519\n```\n\nif you do not have one.\n\nThen you can use a playbook like this to deploy:\n\n```yaml\n---\n# play: test-site\n# file: site.yml\n\n- hosts: all\n  roles:\n    - role: ansible-role-ssh\n```\n\nIf you already have an existing rsa key, change the following variable:\n\n```yaml\nssh_deploy_key: '~/.ssh/id_rsa.pub'\n```\n\nYou can do this in your inventory (host or group variable) or just from the commandline:\n\n```shell\nansible-playbook site.yml --extra-vars '{\"ssh_deploy_key\": \"~/.ssh/id_rsa.pub\"}'\n```\n\n## License and Author\n\n- Author:: Jonas Mauer (\u003cjam@kabelmail.net\u003e)\n- Copyright:: 2019, Jonas Mauer\n\nLicensed under MIT License;\nSee LICENSE file in repository.\n\n## References\n\n- [FreeBSD Manual Pages - sshd_config\\(5\\)](https://www.freebsd.org/cgi/man.cgi?sshd_config)\n- [Uni Konstanz - Starke Authentifizioerungsmethoden](https://www.kim.uni-konstanz.de/e-mail-und-internet/it-sicherheit-und-privatsphaere/sicherer-server-it-dienst/linux-fernadministration-mit-pam-und-ssh/starke-authentifizierungsmethoden/)\n- [SSH absichern - Stephan Klein](https://klein-gedruckt.de/2015/04/ssh-absichern/)\n- [OpenSSH Tip: Check Syntax Errors before Restarting SSHD Server](https://www.cyberciti.biz/tips/checking-openssh-sshd-configuration-syntax-errors.html)\n- [BetterCrypto.org: OpenSSH](https://bettercrypto.org/#_openssh)\n- [Abe Singer - Hostbased SSH](https://www.usenix.org/system/files/login/articles/09_singer.pdf)\n- [DNS-based SSH host key verification](https://ayesh.me/sshfp-verification)\n- [Hardening SSH](https://medium.com/@jasonrigden/hardening-ssh-1bcb99cd4cef)\n- [How to create an SSH certificate authority](https://jameshfisher.com/2018/03/16/how-to-create-an-ssh-certificate-authority/)\n- [SSH Host Key Signing - ein unterschätztes Feature](https://www.sipgate.de/blog/ssh-host-key-signing-ein-unterschaetztes-feature)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjomrr%2Fansible-role-openssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjomrr%2Fansible-role-openssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjomrr%2Fansible-role-openssh/lists"}