Skip to content

more layered/nuanced openssh configs #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
otakup0pe wants to merge 8 commits into
base: master
Choose a base branch
from
Open

more layered/nuanced openssh configs #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8d38b47
more layered/nuanced openssh configs
otakup0pe Aug 27, 2020
317a11c
updating the ssh role a bit
otakup0pe Feb 22, 2021
dcf6e06
another one bites the dust
otakup0pe Mar 21, 2022
fa522da
add a new os profile
otakup0pe Mar 30, 2022
0134c51
new year, new raspi
otakup0pe May 11, 2023
dafef41
another pass at hardening ssh defaults
otakup0pe May 21, 2025
f5d576a
properly handle lists of client config bits
otakup0pe Jun 14, 2025
dadadd2
more modern hostkey support, better autogen config
otakup0pe Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 5 additions & 89 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,90 +1,6 @@
---
openssh_client_settings:
Host: "*"
Port: "22"
Protocol: "2,1"
AddressFamily: "any"
ForwardAgent: "no"
ForwardX11: "no"
ForwardX11Timeout: "300"
ForwardX11Trusted: "no"
RhostsRSAAuthentication: "no"
RSAAuthentication: "no"
PasswordAuthentication: "yes"
HostbasedAuthentication: "no"
GSSAPIAuthentication: "no"
GSSAPIDelegateCredentials: "no"
GSSAPIKeyExchange: "no"
GSSAPITrustDNS: "no"
BatchMode: "no"
CheckHostIP: "yes"
ConnectTimeout: "30"
StrictHostKeyChecking: "ask"
Cipher: "aes256-cbc"
MACs: "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160"
EscapeChar: "~"
Tunnel: "no"
TunnelDevice: "any:any"
PermitLocalCommand: "no"
VisualHostKey: "no"
ChallengeResponseAuthentication: "yes"
Compression: "no"
CompressionLevel: "4"
ConnectionAttempts: "1"
ExitOnForwardFailure: "no"
GatewayPorts: "no"
UsePrivilegedPort: "no"
TCPKeepAlive: "no"

openssh_server_settings:
Port: "22"
AddressFamily: "any"
Protocol: "2"
UsePrivilegeSeparation: "yes"
KeyRegenerationInterval: "3600"
ServerKeyBits: "1024"
SyslogFacility: "AUTH"
LogLevel: "INFO"
LoginGraceTime: "120"
PermitRootLogin: "no"
StrictModes: "yes"
MaxAuthTries: "6"
MaxSessions: "10"
RSAAuthentication: "yes"
PubkeyAuthentication: "yes"
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
IgnoreRhosts: "yes"
RhostsRSAAuthentication: "no"
HostbasedAuthentication: "no"
IgnoreUserKnownHosts: "no"
PermitEmptyPasswords: "no"
ChallengeResponseAuthentication: "no"
PasswordAuthentication: "no"
KerberosAuthentication: "no"
KerberosOrLocalPasswd: "yes"
KerberosTicketCleanup: "yes"
GSSAPIAuthentication: "no"
GSSAPICleanupCredentials: "yes"
X11Forwarding: "yes"
X11DisplayOffset: "10"
X11UseLocalhost: "yes"
PrintMotd: "no"
PrintLastLog: "yes"
TCPKeepAlive: "yes"
UseLogin: "no"
MaxStartups: "10:30:100"
Banner: "none"
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: "yes"
UseDNS: "no"
AllowAgentForwarding: "yes"
AllowTcpForwarding: "yes"
GatewayPorts: "no"
ClientAliveInterval: "1750"
ClientAliveCountMax: "0"
PermitUserEnvironment: "no"
Compression: "delayed"
PidFile: "/var/run/sshd.pid"
PermitTunnel: "no"
ChrootDirectory: "none"
openssh_client_settings: {}
openssh_server_settings: {}
openssh_hostkey_types:
- "ecdsa"
- "ed25519"
22 changes: 13 additions & 9 deletions meta/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,21 @@
# file: xxx/meta/main.yml

---
galaxy_info:
author: pjan vandaele
company: ANXS
author: "ANXS Crew"
company: "ANXS"
description: "Install and configure openssh"
min_ansible_version: 2.3
min_ansible_version: 2.11
license: MIT
platforms:
- name: Ubuntu
- name: "Ubuntu"
versions:
- "jammy"
- "noble"
- name: "Debian"
versions:
- all
- "bullseye"
- "bookworm"
categories:
- system
- networking
- "system"
- "networking"

dependencies: []
54 changes: 40 additions & 14 deletions tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,43 @@
---
- name: OpenSSH | Make sure server and client packages are installed
- name: "default dist is xenial"
set_fact:
openssh_dist_config: "{{openssh_dist_default}}"

- name: "check for dist overrides"
stat:
path: "{{role_path}}/vars/{{ansible_distribution_release|lower}}.yml"
connection: local
delegate_to: localhost
register: openssh_dist_override
become: false

- name: "override dist config"
set_fact:
openssh_dist_config: "{{ansible_distribution_release|lower}}"
when: openssh_dist_override.stat.exists

- name: "include dist overrides"
include_vars: "{{openssh_dist_config}}.yml"

- name: "Make sure server and client packages are installed"
apt:
pkg: "{{openssh_deps}}"
state: present

- name: OpenSSH | Configure OpenSSH Client
- name: "Set configuration with overrides"
set_fact:
openssh_client_config: "{{openssh_client_default|combine(openssh_client_dist|default({}))|combine(openssh_client_settings)}}"
openssh_server_config: "{{openssh_server_default|combine(openssh_server_dist|default({}))|combine(openssh_server_settings)}}"

- name: "Configure OpenSSH Client"
template:
src: etc_ssh_ssh_config.j2
dest: /etc/ssh/ssh_config
owner: root
group: root
mode: 0644

- name: OpenSSH | Configure OpenSSH Server
- name: "Configure OpenSSH Server"
template:
src: etc_ssh_sshd_config.j2
dest: /etc/ssh/sshd_config
Expand All @@ -22,17 +47,18 @@
notify:
- restart ssh

- name: OpenSSH | Determine if previously generated host keys
stat:
- name: "get rid of old host key lock file"
file:
path: "{{openssh_hostkey_file}}"
register: anxs_openssh_hostkeys
state: "absent"

- name: OpenSSH | Ensure all host keys are generated
command: ssh-keygen -A
when: not anxs_openssh_hostkeys.stat.exists
- name: "Determine if previously generated host keys"
stat:
path: "/etc/ssh/ssh_host_{{item}}_key"
register: openssh_hostkeys_stat
loop: "{{openssh_hostkey_types}}"

- name: OpenSSH | Remember we generated host keys
file:
dest: "{{openssh_hostkey_file}}"
state: touch
when: not anxs_openssh_hostkeys.stat.exists
- name: "Generate missing host keys"
command: "ssh-keygen -t {{item.item}} -f /etc/ssh/ssh_host_{{item.item}}_key"
when: not item.stat.exists
loop: "{{openssh_hostkeys_stat.results}}"
9 changes: 7 additions & 2 deletions templates/etc_ssh_ssh_config.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{% for key, value in openssh_client_settings.iteritems() %}
{{key|e}} {{value|e}}
Host *
{% for key, value in openssh_client_config|dictsort %}
{% if value is string %}
{{' '}}{{key}} {{value}}
{% else %}
{{' '}}{{key}} {{','.join(value)}}
{% endif %}
{% endfor %}
9 changes: 7 additions & 2 deletions templates/etc_ssh_sshd_config.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{% for key, value in openssh_server_settings.iteritems() %}
{{key|e}} {{value|e}}
# {{ ansible_managed }}
{% for key, value in (openssh_server_config|dictsort) %}
{% if value is string %}
{{key}} {{value}}
{% else %}
{{key}} {{','.join(value)}}
{% endif %}
{% endfor %}
1 change: 0 additions & 1 deletion vagrant/roles/openssh
View file
Open in desktop

This file was deleted.

9 changes: 9 additions & 0 deletions vars/bionic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
openssh_client_dist:
Cipher: "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc"

openssh_server_dist:
RekeyLimit: "default none"
KerberosAuthentication: "no"
KerberosOrLocalPasswd: "yes"
KerberosTicketCleanup: "yes"
6 changes: 6 additions & 0 deletions vars/bullseye.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
openssh_server_dist:
RekeyLimit: "default none"
KerberosAuthentication: "no"
KerberosOrLocalPasswd: "yes"
KerberosTicketCleanup: "yes"
4 changes: 4 additions & 0 deletions vars/buster.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
openssh_client_dist:
Cipher: "aes256-cbc"
RSAAuthentication: "yes"
6 changes: 6 additions & 0 deletions vars/focal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
openssh_server_dist:
RekeyLimit: "default none"
KerberosAuthentication: "no"
KerberosOrLocalPasswd: "yes"
KerberosTicketCleanup: "yes"
108 changes: 106 additions & 2 deletions vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,109 @@
---
openssh_dist_default: "focal"

openssh_deps:
- openssh-client
- openssh-server
- "openssh-client"
- "openssh-server"

openssh_hostkey_file: /var/run/anxs-openssh-hostkeys

openssh_client_default:
Port: "22"
Protocol: "2"
AddressFamily: "any"
ForwardAgent: "no"
ForwardX11: "no"
ForwardX11Timeout: "300"
ForwardX11Trusted: "no"
PasswordAuthentication: "yes"
HostbasedAuthentication: "no"
GSSAPIAuthentication: "no"
GSSAPIDelegateCredentials: "no"
GSSAPIKeyExchange: "no"
GSSAPITrustDNS: "no"
BatchMode: "no"
CheckHostIP: "yes"
ConnectTimeout: "30"
StrictHostKeyChecking: "ask"
MACs: "hmac-md5,hmac-sha1,umac-64@openssh.com"
EscapeChar: "~"
Tunnel: "no"
TunnelDevice: "any:any"
PermitLocalCommand: "no"
VisualHostKey: "no"
ChallengeResponseAuthentication: "yes"
Compression: "no"
ConnectionAttempts: "1"
ExitOnForwardFailure: "no"
GatewayPorts: "no"
UsePrivilegedPort: "no"
TCPKeepAlive: "no"

openssh_server_default:
Port: "22"
AddressFamily: "any"
Protocol: "2"
SyslogFacility: "AUTH"
LogLevel: "INFO"
LoginGraceTime: "120"
PermitRootLogin: "no"
StrictModes: "yes"
MaxAuthTries: "6"
MaxSessions: "10"
PubkeyAuthentication: "yes"
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
IgnoreRhosts: "yes"
HostbasedAuthentication: "no"
IgnoreUserKnownHosts: "no"
PermitEmptyPasswords: "no"
ChallengeResponseAuthentication: "no"
PasswordAuthentication: "no"
KerberosAuthentication: "no"
KerberosOrLocalPasswd: "yes"
KerberosTicketCleanup: "yes"
GSSAPIAuthentication: "no"
GSSAPICleanupCredentials: "yes"
X11Forwarding: "yes"
X11DisplayOffset: "10"
X11UseLocalhost: "yes"
PrintMotd: "no"
PrintLastLog: "yes"
TCPKeepAlive: "yes"
MaxStartups: "5:75:20"
Banner: "none"
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: "yes"
UseDNS: "no"
AllowAgentForwarding: "yes"
AllowTcpForwarding: "yes"
GatewayPorts: "no"
ClientAliveInterval: "1750"
ClientAliveCountMax: "0"
PermitUserEnvironment: "no"
Compression: "delayed"
PidFile: "/var/run/sshd.pid"
PermitTunnel: "no"
ChrootDirectory: "none"
HostKeyAlgorithms:
- "ecdsa-sha2-nistp384-cert-v01@openssh.com"
- "ecdsa-sha2-nistp521-cert-v01@openssh.com"
- "ssh-ed25519-cert-v01@openssh.com"
- "sk-ssh-ed25519-cert-v01@openssh.com"
- "rsa-sha2-512-cert-v01@openssh.com"
- "rsa-sha2-256-cert-v01@openssh.com"
- "ssh-rsa-cert-v01@openssh.com"
- "sk-ecdsa-sha2-nistp256@openssh.com"
- "ssh-ed25519"
- "sk-ssh-ed25519@openssh.com"
- "rsa-sha2-512"
- "rsa-sha2-256"
KexAlgorithms:
- "curve25519-sha256"
- "curve25519-sha256@libssh.org"
- "diffie-hellman-group16-sha512"
- "diffie-hellman-group18-sha512"
- "diffie-hellman-group-exchange-sha256"
MACs:
- "hmac-sha2-256-etm@openssh.com"
- "hmac-sha2-512-etm@openssh.com"
11 changes: 11 additions & 0 deletions vars/xenial.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
openssh_client_dist:
Cipher: "aes256-cbc"
RSAAuthentication: "yes"

openssh_server_dist:
UsePrivilegeSeparation: "yes"
KeyRegenerationInterval: "3600"
ServerKeyBits: "1024"
UseLogin: "no"
KerberosGetAFSToken: "no"