ansible-collection-hardening/roles/ssh_hardening/vars/FreeBSD.yml

---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: /etc/ssh
sshd_service_name: sshd
ssh_owner: root
ssh_group: wheel
ssh_host_keys_owner: root
ssh_host_keys_group: wheel
ssh_host_keys_mode: "0600"

# true if SSH support Kerberos
ssh_kerberos_support: true

# true if SSH has PAM support
ssh_pam_support: true

sshd_moduli_file: /etc/ssh/moduli

sshd_disable_crypto_policy: false
Harmonize style Changes include: - change of indentation - consistent use of single quotes - name of all tasks beginn with lower case - explicit begin in all YAML files - use of 'loop' instead of old style 'with_items' Signed-off-by: Andre Lehmann <aisberg@posteo.de> 2020-06-09 19:11:03 +00:00			`---`
add var sshd_path, for OSs with alternate sshd locations Signed-off-by: Alex Waite <alex@waite.eu> 2020-06-20 10:57:59 +00:00			`sshd_path: /usr/sbin/sshd`
linting (#603) * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change line length issues Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * replace yes with true in tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add exception for task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove trailing whitespace * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> 2023-01-24 11:40:27 +00:00			`ssh_host_keys_dir: /etc/ssh`
Add support for FreeBSD OpenSSH server and client 2017-02-02 00:09:12 +00:00			`sshd_service_name: sshd`
			`ssh_owner: root`
			`ssh_group: wheel`
linting (#603) * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change line length issues Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * replace yes with true in tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add exception for task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove trailing whitespace * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> 2023-01-24 11:40:27 +00:00			`ssh_host_keys_owner: root`
Replace ssh_keys group in Fedora with root (#677) * Replace ssh_keys group in Fedora with root In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream. See: https://www.spinics.net/lists/fedora-devel/msg307707.html See: https://src.fedoraproject.org/rpms/openssh/pull-request/37# Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change host key mode and owner in fedora and rhel9 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add missing host mode for rhel7 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * harden all ssh host keys Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * skip linting rule Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * correct grp for bsd is wheel Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> 2023-06-10 06:04:04 +00:00			`ssh_host_keys_group: wheel`
			`ssh_host_keys_mode: "0600"`
change inclusion of os specific defaults (#353) * change inclusion of os specific defaults we now include the os specific options into a separate variable and merge this with the default ansible namespace, when the corresponding keys do not already exist (eg. are defined by default oder by user) Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * simplify check for os specific variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add test for variable override Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move tests to verify stage Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct grep Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * linting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix typo Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * Revert "Merge pull request #351 from sprat/fix-umask" This reverts commit 9e8e0bc8fb207014a6d1cb4d68c98029b110aabe, reversing changes made to 98c7553016fe217e783d2376f07d29e703fa97b6. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move immutable ssh vars to internal vars Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move vars to OS files Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * change default handling for all roles Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix issues Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * Update main.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> 2020-12-20 19:46:57 +00:00
			`# true if SSH support Kerberos`
			`ssh_kerberos_support: true`

			`# true if SSH has PAM support`
			`ssh_pam_support: true`

linting (#603) * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change line length issues Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * replace yes with true in tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add exception for task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove trailing whitespace * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> 2023-01-24 11:40:27 +00:00			`sshd_moduli_file: /etc/ssh/moduli`
change inclusion of os specific defaults (#353) * change inclusion of os specific defaults we now include the os specific options into a separate variable and merge this with the default ansible namespace, when the corresponding keys do not already exist (eg. are defined by default oder by user) Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * simplify check for os specific variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add test for variable override Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move tests to verify stage Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct grep Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * linting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix typo Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * Revert "Merge pull request #351 from sprat/fix-umask" This reverts commit 9e8e0bc8fb207014a6d1cb4d68c98029b110aabe, reversing changes made to 98c7553016fe217e783d2376f07d29e703fa97b6. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move immutable ssh vars to internal vars Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move vars to OS files Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * change default handling for all roles Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix issues Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * Update main.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> 2020-12-20 19:46:57 +00:00
			`sshd_disable_crypto_policy: false`