Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/davidalger/ansible-role-sshd-lockdown

Ansible Role - Installs secured sshd config on CentOS/RHEL
https://github.com/davidalger/ansible-role-sshd-lockdown

ansible role sshd system

Last synced: 12 days ago
JSON representation

Ansible Role - Installs secured sshd config on CentOS/RHEL

Host: GitHub
URL: https://github.com/davidalger/ansible-role-sshd-lockdown
Owner: davidalger
License: mit
Created: 2019-04-01T00:52:55.000Z (almost 6 years ago)
Default Branch: master
Last Pushed: 2020-07-15T18:03:44.000Z (over 4 years ago)
Last Synced: 2024-04-12T04:12:02.503Z (10 months ago)
Topics: ansible, role, sshd, system
Homepage: https://galaxy.ansible.com/davidalger/sshd_lockdown
Size: 29.3 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Ansible Role: sshd-lockdown

[![Build Status](https://travis-ci.com/davidalger/ansible-role-sshd-lockdown.svg?branch=master)](https://travis-ci.com/davidalger/ansible-role-sshd-lockdown)

Replaces sshd config on EL 7 with a secured sshd config template which adheres to the following practices:

* `PermitRootLogin` is disabled.
* `PasswordAuthentication` is disabled.
* `GSSAPIAuthentication` is disabled.
* `sshusers` group is added and `sshd` configured such that only members of this group will be authorized.

## Requirements

None.

## Role Variables

sshd_lockdown_config_template: sshd_config

Change this to specify an alternate template to use for the `sshd_config` file deployed to the server.

sshd_additional_config_lines: []

Add lines of additional custom config to `sshd` service.

sshd_sftp_subsystem: /usr/libexec/openssh/sftp-server

Variable for specifying alternate subsystem for use with sftp.

sshd_access_users:
- someotheruser
- another_user
- unprivileged_ssh_suer

List of users added to the `sshusers` group for access to the system.

## Dependencies

None.

## Example Playbook

- hosts: all
roles:
- { role: davidalger.sshd_lockdown }

## Example Playbook with Legacy Admin

For use on servers managed by Rackspace, the legacy `rack` user must be detected and added to the `sshusers` group and allowed an exception allowing it to use password authentication.

- hosts: all
vars:
sshd_pass_auth_exception: true
sshd_pass_auth_exception_user: rack

roles:
- { role: davidalger.sshd_lockdown }

## License

This work is licensed under the MIT license. See LICENSE file for details.

## Author Information

This role was created in 2016 by [David Alger](http://davidalger.com/) with contributions from [Matt Johnson](https://github.com/mttjohnson/).