Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Prettified Code!

Browse source
This commit is contained in:
rndmh3ro 2023-08-07 12:31:26 +00:00 committed by GitHub Action
parent f295397611
commit c1a0bcbe9d
4 changed files with 1471 additions and 1460 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

198
roles/mysql_hardening/README.md
View file

@ -22,107 +22,109 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek
- python-jmespath on the ansible host
<!-- BEGIN_ANSIBLE_DOCS -->
## Supported Operating Systems
| Platform | Versions |
| -------- | -------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | bullseye, buster |
| Amazon | |
| opensuse | |
| Platform | Versions |
| -------- | -------------------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | bullseye, buster |
| Amazon | |
| opensuse | |
## Role Variables
* `mysql_daemon_enabled`
* Default: `true`
* Description: Whether to enable the MySQL-service so it starts on boot
* Type: bool
* Required: no
* `mysql_hardening_chroot`
* Default: ``
* Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
* Type: str
* Required: no
* `mysql_hardening_chroot.automatic-sp-privileges`
* Default: `0`
* Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
* Type: int
* Required: no
* `mysql_hardening_enabled`
* Default: `true`
* Description: Whether to run the hardening
* Type: bool
* Required: no
* `mysql_hardening_options.allow-suspicious-udfs`
* Default: `0`
* Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
* Type: int
* Required: no
* `mysql_hardening_options.local-infile`
* Default: `0`
* Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
* Type: int
* Required: no
* `mysql_hardening_options.safe-user-create`
* Default: `1`
* Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
* Type: int
* Required: no
* `mysql_hardening_options.secure-auth`
* Default: `1`
* Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
* Type: int
* Required: no
* `mysql_hardening_options.secure-file-priv`
* Default: `/tmp`
* Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
* Type: str
* Required: no
* `mysql_hardening_options.skip-symbolic-links`
* Default: `1`
* Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
* Type: int
* Required: no
* `mysql_hardening_restart_mysql`
* Default: `true`
* Description: Restart mysql after running this role
* Type: bool
* Required: no
* `mysql_hardening_skip_grant_tables:`
* Default: `false`
* Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
* Type: bool
* Required: no
* `mysql_hardening_skip_show_database`
* Default: `1`
* Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
* Type: int
* Required: no
* `mysql_remove_anonymous_users`
* Default: `true`
* Description: Set to `false` to keep users without authentication
* Type: bool
* Required: no
* `mysql_remove_remote_root`
* Default: `true`
* Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users.
* Type: bool
* Required: no
* `mysql_remove_test_database`
* Default: `true`
* Description: Set to `false` to keep the test database
* Type: bool
* Required: no
* `mysql_root_password`
* Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----`
* Description: The default password. Please change or overwrite it
* Type: str
* Required: no
* `mysql_user_home`
* Default: `{{ ansible_env.HOME }}`
* Description: The path where the `.my.cnf` will be stored
* Type: str
* Required: no
- `mysql_daemon_enabled`
- Default: `true`
- Description: Whether to enable the MySQL-service so it starts on boot
- Type: bool
- Required: no
- `mysql_hardening_chroot`
- Default: ``
- Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
- Type: str
- Required: no
- `mysql_hardening_chroot.automatic-sp-privileges`
- Default: `0`
- Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
- Type: int
- Required: no
- `mysql_hardening_enabled`
- Default: `true`
- Description: Whether to run the hardening
- Type: bool
- Required: no
- `mysql_hardening_options.allow-suspicious-udfs`
- Default: `0`
- Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
- Type: int
- Required: no
- `mysql_hardening_options.local-infile`
- Default: `0`
- Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
- Type: int
- Required: no
- `mysql_hardening_options.safe-user-create`
- Default: `1`
- Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
- Type: int
- Required: no
- `mysql_hardening_options.secure-auth`
- Default: `1`
- Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
- Type: int
- Required: no
- `mysql_hardening_options.secure-file-priv`
- Default: `/tmp`
- Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
- Type: str
- Required: no
- `mysql_hardening_options.skip-symbolic-links`
- Default: `1`
- Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
- Type: int
- Required: no
- `mysql_hardening_restart_mysql`
- Default: `true`
- Description: Restart mysql after running this role
- Type: bool
- Required: no
- `mysql_hardening_skip_grant_tables:`
- Default: `false`
- Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
- Type: bool
- Required: no
- `mysql_hardening_skip_show_database`
- Default: `1`
- Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
- Type: int
- Required: no
- `mysql_remove_anonymous_users`
- Default: `true`
- Description: Set to `false` to keep users without authentication
- Type: bool
- Required: no
- `mysql_remove_remote_root`
- Default: `true`
- Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users.
- Type: bool
- Required: no
- `mysql_remove_test_database`
- Default: `true`
- Description: Set to `false` to keep the test database
- Type: bool
- Required: no
- `mysql_root_password`
- Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----`
- Description: The default password. Please change or overwrite it
- Type: str
- Required: no
- `mysql_user_home`
- Default: `{{ ansible_env.HOME }}`
- Description: The path where the `.my.cnf` will be stored
- Type: str
- Required: no
## Dependencies
@ -135,5 +137,5 @@ None.
roles:
- name: devsec.hardening.mysql_hardening
```
<!-- END_ANSIBLE_DOCS -->
<!-- END_ANSIBLE_DOCS -->

225
roles/nginx_hardening/README.md
View file

@ -16,121 +16,123 @@ It works with the following nginx-roles, including, but not limited to:
**NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!**
<!-- BEGIN_ANSIBLE_DOCS -->
## Supported Operating Systems
| Platform | Versions |
| -------- | -------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | buster, bullseye |
| Amazon | |
| Platform | Versions |
| -------- | -------------------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | buster, bullseye |
| Amazon | |
## Role Variables
* `nginx_add_header`
* Default: `['X-Frame-Options SAMEORIGIN', 'X-Content-Type-Options nosniff', 'X-XSS-Protection "1; mode=block"', 'Content-Security-Policy \\"script-src \'self\'; object-src \'self\'\\"']`
* Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
* Type: str
* Required: no
* `nginx_client_body_buffer_size`
* Default: `1k`
* Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. See [nginx_client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size)
* Type: str
* Required: no
* `nginx_client_body_timeout`
* Default: `10`
* Description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout)
* Type: int
* Required: no
* `nginx_client_header_buffer_size`
* Default: `1k`
* Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. See [nginx_client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client
* Type: str
* Required: no
* `nginx_client_header_timeout`
* Default: `10`
* Description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout)
* Type: int
* Required: no
* `nginx_client_max_body_size`
* Default: `1k`
* Description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. See [nginx_client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size)
* Type: str
* Required: no
* `nginx_configuration_dir`
* Default: `/etc/nginx`
* Description: The main location for all nginx configuration files
* Type: str
* Required: no
* `nginx_configuration_hardening_dir`
* Default: `/etc/nginx`
* Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails)
* Type: str
* Required: no
* `nginx_dh_size`
* Default: `2048`
* Description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam)
* Type: str
* Required: no
* `nginx_keepalive_timeout`
* Default: `5 5`
* Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout)
* Type: str
* Required: no
* `nginx_large_client_header_buffers`
* Default: `2 1k`
* Description: Sets the maximum number and size of buffers used for reading large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers)
* Type: str
* Required: no
* `nginx_limit_conn`
* Default: `default 5`
* Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. See [nginx_limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn)
* Type: str
* Required: no
* `nginx_limit_conn_zone`
* Default: `$binary_remote_addr zone=default:10m`
* Description: Sets parameters for a shared memory zone that will keep states for various keys. See [nginx_limit_conn_zone](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone)
* Type: str
* Required: no
* `nginx_owner_group`
* Default: `root`
* Description: The owner group of the nginx configuration files
* Type: str
* Required: no
* `nginx_owner_user`
* Default: `root`
* Description: The owner user of the nginx configuration files
* Type: str
* Required: no
* `nginx_remove_default_site`
* Default: `true`
* Description: Disables the default site. Set to false to enable the default site in nginx.
* Type: bool
* Required: no
* `nginx_send_timeout`
* Default: `10`
* Description: Sets a timeout for transmitting a response to the client. See [nginx_send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout)
* Type: int
* Required: no
* `nginx_server_tokens`
* Default: `False`
* Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
* Type: str
* Required: no
* `nginx_ssl_ciphers`
* Default: `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`
* Description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers)
* Type: str
* Required: no
* `nginx_ssl_prefer_server_ciphers`
* Default: `on`
* Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers)
* Type: str
* Required: no
* `nginx_ssl_protocols`
* Default: `TLSv1.2`
* Description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols)
* Type: str
* Required: no
- `nginx_add_header`
- Default: `['X-Frame-Options SAMEORIGIN', 'X-Content-Type-Options nosniff', 'X-XSS-Protection "1; mode=block"', 'Content-Security-Policy \\"script-src \'self\'; object-src \'self\'\\"']`
- Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
- Type: str
- Required: no
- `nginx_client_body_buffer_size`
- Default: `1k`
- Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. See [nginx_client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size)
- Type: str
- Required: no
- `nginx_client_body_timeout`
- Default: `10`
- Description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout)
- Type: int
- Required: no
- `nginx_client_header_buffer_size`
- Default: `1k`
- Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. See [nginx_client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client
- Type: str
- Required: no
- `nginx_client_header_timeout`
- Default: `10`
- Description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout)
- Type: int
- Required: no
- `nginx_client_max_body_size`
- Default: `1k`
- Description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. See [nginx_client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size)
- Type: str
- Required: no
- `nginx_configuration_dir`
- Default: `/etc/nginx`
- Description: The main location for all nginx configuration files
- Type: str
- Required: no
- `nginx_configuration_hardening_dir`
- Default: `/etc/nginx`
- Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails)
- Type: str
- Required: no
- `nginx_dh_size`
- Default: `2048`
- Description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam)
- Type: str
- Required: no
- `nginx_keepalive_timeout`
- Default: `5 5`
- Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout)
- Type: str
- Required: no
- `nginx_large_client_header_buffers`
- Default: `2 1k`
- Description: Sets the maximum number and size of buffers used for reading large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers)
- Type: str
- Required: no
- `nginx_limit_conn`
- Default: `default 5`
- Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. See [nginx_limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn)
- Type: str
- Required: no
- `nginx_limit_conn_zone`
- Default: `$binary_remote_addr zone=default:10m`
- Description: Sets parameters for a shared memory zone that will keep states for various keys. See [nginx_limit_conn_zone](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone)
- Type: str
- Required: no
- `nginx_owner_group`
- Default: `root`
- Description: The owner group of the nginx configuration files
- Type: str
- Required: no
- `nginx_owner_user`
- Default: `root`
- Description: The owner user of the nginx configuration files
- Type: str
- Required: no
- `nginx_remove_default_site`
- Default: `true`
- Description: Disables the default site. Set to false to enable the default site in nginx.
- Type: bool
- Required: no
- `nginx_send_timeout`
- Default: `10`
- Description: Sets a timeout for transmitting a response to the client. See [nginx_send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout)
- Type: int
- Required: no
- `nginx_server_tokens`
- Default: `False`
- Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
- Type: str
- Required: no
- `nginx_ssl_ciphers`
- Default: `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`
- Description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers)
- Type: str
- Required: no
- `nginx_ssl_prefer_server_ciphers`
- Default: `on`
- Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers)
- Type: str
- Required: no
- `nginx_ssl_protocols`
- Default: `TLSv1.2`
- Description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols)
- Type: str
- Required: no
## Dependencies
@ -143,4 +145,5 @@ None.
roles:
- name: devsec.hardening.nginx_hardening
```
<!-- END_ANSIBLE_DOCS -->

1693
roles/os_hardening/README.md
View file

File diff suppressed because it is too large Load diff

815
roles/ssh_hardening/README.md
View file

@ -9,416 +9,418 @@ This role provides secure ssh-client and ssh-server configurations. It is intend
Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server.
<!-- BEGIN_ANSIBLE_DOCS -->
## Supported Operating Systems
| Platform | Versions |
| -------- | -------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | buster, bullseye |
| Amazon | |
| Fedora | |
| ArchLinux | |
| SmartOS | |
| FreeBSD | 12.2 |
| OpenBSD | 7.0 |
| Platform | Versions |
| --------- | -------------------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | buster, bullseye |
| Amazon | |
| Fedora | |
| ArchLinux | |
| SmartOS | |
| FreeBSD | 12.2 |
| OpenBSD | 7.0 |
## Role Variables
* `network_ipv6_enable`
* Default: `true`
* Description: `false` if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).
* Type: bool
* Required: no
* `sftp_chroot`
* Default: `true`
* Description: Set to `false` to disable chroot for sftp.
* Type: bool
* Required: no
* `sftp_chroot_dir`
* Default: `/home/%u`
* Description: change default stp chroot location
* Type: str
* Required: no
* `sftp_enabled`
* Default: `true`
* Description: Set to `false` to disable sftp configuration.
* Type: bool
* Required: no
* `sftp_umask`
* Default: `0027`
* Description: Specifies the umask for sftp.
* Type: str
* Required: no
* `ssh_allow_agent_forwarding`
* Default: `false`
* Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding.
* Type: bool
* Required: no
* `ssh_allow_groups`
* Default: ``
* Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
* Type: str
* Required: no
* `ssh_allow_tcp_forwarding`
* Default: `no`
* Description: Set to `'no'` or `false` to disable TCP Forwarding. Set to `'yes'` or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`.
* Type: str
* Required: no
* `ssh_allow_users`
* Default: ``
* Description: if specified, login is allowed only for user names that match one of the patterns.
* Type: str
* Required: no
* `ssh_authorized_keys_file`
* Default: ``
* Description: change default file that contains the public keys that can be used for user authentication
* Type: str
* Required: no
* `ssh_authorized_principals`
* Default: ``
* Description: list of hashes containing file paths and authorized principals, see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` is set
* Type: list
* Required: no
* `ssh_authorized_principals_file`
* Default: ``
* Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set.
* Type: str
* Required: no
* `ssh_banner`
* Default: `false`
* Description: Set to `true` to print a banner on login.
* Type: bool
* Required: no
* `ssh_banner_path`
* Default: `/etc/sshd/banner.txt`
* Description: path to the SSH banner file.
* Type: str
* Required: no
* `ssh_challengeresponseauthentication`
* Default: `false`
* Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM).
* Type: bool
* Required: no
* `ssh_ciphers`
* Default: ``
* Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
* Type: list
* Required: no
* `ssh_client_alive_count`
* Default: `3`
* Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients.
* Type: str
* Required: no
* `ssh_client_alive_interval`
* Default: `600`
* Description: specifies an interval for sending keepalive messages.
* Type: str
* Required: no
* `ssh_client_compression`
* Default: `false`
* Description: Specifies whether the client requests compression.
* Type: bool
* Required: no
* `ssh_client_config_file`
* Default: `/etc/ssh/ssh_config`
* Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`.
* Type: str
* Required: no
* `ssh_client_hardening`
* Default: `true`
* Description: `false` to stop harden the client.
* Type: bool
* Required: no
* `ssh_client_host_key_algorithms`
* Default: ``
* Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version!
* Type: list
* Required: no
* `ssh_client_password_login`
* Default: `false`
* Description: Set to `true` to allow password-based authentication with the ssh client.
* Type: bool
* Required: no
* `ssh_client_port`
* Default: `22`
* Description: Specifies the port number to connect on the remote host.
* Type: str
* Required: no
* `ssh_client_roaming`
* Default: `false`
* Description: enable experimental client roaming.
* Type: bool
* Required: no
* `ssh_compression`
* Default: `false`
* Description: Specifies whether server-side compression is enabled after the user has authenticated successfully.
* Type: bool
* Required: no
* `ssh_custom_options`
* Default: `[]`
* Description: Custom lines for SSH client configuration.
* Type: str
* Required: no
* `ssh_custom_selinux_dir`
* Default: `/etc/selinux/local-policies`
* Description: directory where to store the ssh_password policy
* Type: str
* Required: no
* `ssh_deny_groups`
* Default: ``
* Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
* Type: str
* Required: no
* `ssh_deny_users`
* Default: ``
* Description: if specified, login is disallowed for user names that match one of the patterns.
* Type: str
* Required: no
* `ssh_gateway_ports`
* Default: `false`
* Description: Set to `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.
* Type: bool
* Required: no
* `ssh_gssapi_delegation`
* Default: `false`
* Description: Set to `true` to enable GSSAPI credential forwarding.
* Type: bool
* Required: no
* `ssh_gssapi_support`
* Default: `false`
* Description: Set to `true` to enable GSSAPI authentication (both client and server).
* Type: bool
* Required: no
* `ssh_hardening_enabled`
* Default: `true`
* Description: Whether to run the hardening
* Type: bool
* Required: no
* `ssh_host_certificates`
* Default: ``
* Description: Host certificates to look for when starting sshd
* Type: list
* Required: no
* `ssh_host_key_algorithms`
* Default: ``
* Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
* Type: list
* Required: no
* `ssh_host_key_files`
* Default: ``
* Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version.
* Type: list
* Required: no
* `ssh_host_rsa_key_size`
* Default: `4096`
* Description: Specifies the number of bits in the private host RSA key to create.
* Type: str
* Required: no
* `ssh_kerberos_support`
* Default: `true`
* Description: Set to `true` if SSH has Kerberos support.
* Type: bool
* Required: no
* `ssh_kex`
* Default: ``
* Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
* Type: list
* Required: no
* `ssh_listen_to`
* Default: `["0.0.0.0"]`
* Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons
* Type: list
* Required: no
* `ssh_login_grace_time`
* Default: `30s`
* Description: specifies the time allowed for successful authentication to the SSH server.
* Type: str
* Required: no
* `ssh_macs`
* Default: ``
* Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
* Type: list
* Required: no
* `ssh_max_auth_retries`
* Default: `2`
* Description: Specifies the maximum number of authentication attempts permitted per connection.
* Type: str
* Required: no
* `ssh_max_sessions`
* Default: `10`
* Description: Specifies the maximum number of open sessions permitted from a given connection.
* Type: str
* Required: no
* `ssh_max_startups`
* Default: `10:30:60`
* Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
* Type: str
* Required: no
* `ssh_pam_support`
* Default: `true`
* Description: Set to `true` if SSH has PAM support.
* Type: bool
* Required: no
* `ssh_permit_root_login`
* Default: `no`
* Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required!
* Type: str
* Required: no
* `ssh_permit_tunnel`
* Default: `false`
* Description: `true` if SSH Port Tunneling is required.
* Type: bool
* Required: no
* `ssh_print_debian_banner`
* Default: `false`
* Description: Set to `true` to print debian specific banner.
* Type: bool
* Required: no
* `ssh_print_last_log`
* Default: `false`
* Description: Set to `false` to disable display of last login information.
* Type: bool
* Required: no
* `ssh_print_motd`
* Default: `false`
* Description: Set to `false` to disable printing of the MOTD.
* Type: bool
* Required: no
* `ssh_print_pam_motd`
* Default: `false`
* Description: Set to `false` to disable printing of the MOTD via pam (Debian and Ubuntu).
* Type: bool
* Required: no
* `ssh_ps59`
* Default: `sandbox`
* Description: Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.
* Type: str
* Required: no
* `ssh_remote_hosts`
* Default: ``
* Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`
* Type: list
* Required: no
* `ssh_server_accept_env_vars`
* Default: ``
* Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace.
* Type: str
* Required: no
* `ssh_server_config_file`
* Default: `/etc/ssh/sshd_config`
* Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`.
* Type: str
* Required: no
* `ssh_server_enabled`
* Default: `true`
* Description: Set to `false` to disable the opensshd server.
* Type: bool
* Required: no
* `ssh_server_hardening`
* Default: `true`
* Description: `false` to stop harden the server.
* Type: bool
* Required: no
* `ssh_server_match_address`
* Default: ``
* Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
* Type: str
* Required: no
* `ssh_server_match_group`
* Default: ``
* Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
* Type: str
* Required: no
* `ssh_server_match_local_port`
* Default: ``
* Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
* Type: str
* Required: no
* `ssh_server_match_user`
* Default: ``
* Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
* Type: str
* Required: no
* `ssh_server_password_login`
* Default: `false`
* Description: Set to `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`.
* Type: bool
* Required: no
* `ssh_server_permit_environment_vars`
* Default: `no`
* Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global 'yes' or 'no' settings.
* Type: str
* Required: no
* `ssh_server_ports`
* Default: `["22"]`
* Description: ports on which ssh-server should listen.
* Type: list
* Required: no
* `ssh_server_revoked_keys`
* Default: ``
* Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.
* Type: list
* Required: no
* `ssh_trusted_user_ca_keys`
* Default: ``
* Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set.
* Type: list
* Required: no
* `ssh_trusted_user_ca_keys_file`
* Default: ``
* Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates.
* Type: str
* Required: no
* `ssh_use_dns`
* Default: `false`
* Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
* Type: bool
* Required: no
* `ssh_use_pam`
* Default: `true`
* Description: Set to `false` to disable pam authentication.
* Type: bool
* Required: no
* `ssh_x11_forwarding`
* Default: `false`
* Description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding.
* Type: bool
* Required: no
* `sshd_authenticationmethods`
* Default: `publickey`
* Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
* Type: str
* Required: no
* `sshd_custom_options`
* Default: ``
* Description: Custom lines for SSH daemon configuration.
* Type: list
* Required: no
* `sshd_log_level`
* Default: `VERBOSE`
* Description: the verbosity level that is used when logging messages from sshd.
* Type: str
* Required: no
* `sshd_moduli_file`
* Default: `/etc/ssh/moduli`
* Description: path to the SSH moduli file.
* Type: str
* Required: no
* `sshd_moduli_minimum`
* Default: `2048`
* Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam.
* Type: str
* Required: no
* `sshd_strict_modes`
* Default: `true`
* Description: Check file modes and ownership of the user's files and home directory before accepting login.
* Type: bool
* Required: no
* `sshd_syslog_facility`
* Default: `AUTH`
* Description: The facility code that is used when logging messages from sshd.
* Type: str
* Required: no
- `network_ipv6_enable`
- Default: `true`
- Description: `false` if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).
- Type: bool
- Required: no
- `sftp_chroot`
- Default: `true`
- Description: Set to `false` to disable chroot for sftp.
- Type: bool
- Required: no
- `sftp_chroot_dir`
- Default: `/home/%u`
- Description: change default stp chroot location
- Type: str
- Required: no
- `sftp_enabled`
- Default: `true`
- Description: Set to `false` to disable sftp configuration.
- Type: bool
- Required: no
- `sftp_umask`
- Default: `0027`
- Description: Specifies the umask for sftp.
- Type: str
- Required: no
- `ssh_allow_agent_forwarding`
- Default: `false`
- Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding.
- Type: bool
- Required: no
- `ssh_allow_groups`
- Default: ``
- Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
- Type: str
- Required: no
- `ssh_allow_tcp_forwarding`
- Default: `no`
- Description: Set to `'no'` or `false` to disable TCP Forwarding. Set to `'yes'` or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`.
- Type: str
- Required: no
- `ssh_allow_users`
- Default: ``
- Description: if specified, login is allowed only for user names that match one of the patterns.
- Type: str
- Required: no
- `ssh_authorized_keys_file`
- Default: ``
- Description: change default file that contains the public keys that can be used for user authentication
- Type: str
- Required: no
- `ssh_authorized_principals`
- Default: ``
- Description: list of hashes containing file paths and authorized principals, see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` is set
- Type: list
- Required: no
- `ssh_authorized_principals_file`
- Default: ``
- Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set.
- Type: str
- Required: no
- `ssh_banner`
- Default: `false`
- Description: Set to `true` to print a banner on login.
- Type: bool
- Required: no
- `ssh_banner_path`
- Default: `/etc/sshd/banner.txt`
- Description: path to the SSH banner file.
- Type: str
- Required: no
- `ssh_challengeresponseauthentication`
- Default: `false`
- Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM).
- Type: bool
- Required: no
- `ssh_ciphers`
- Default: ``
- Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
- Type: list
- Required: no
- `ssh_client_alive_count`
- Default: `3`
- Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients.
- Type: str
- Required: no
- `ssh_client_alive_interval`
- Default: `600`
- Description: specifies an interval for sending keepalive messages.
- Type: str
- Required: no
- `ssh_client_compression`
- Default: `false`
- Description: Specifies whether the client requests compression.
- Type: bool
- Required: no
- `ssh_client_config_file`
- Default: `/etc/ssh/ssh_config`
- Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`.
- Type: str
- Required: no
- `ssh_client_hardening`
- Default: `true`
- Description: `false` to stop harden the client.
- Type: bool
- Required: no
- `ssh_client_host_key_algorithms`
- Default: ``
- Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version!
- Type: list
- Required: no
- `ssh_client_password_login`
- Default: `false`
- Description: Set to `true` to allow password-based authentication with the ssh client.
- Type: bool
- Required: no
- `ssh_client_port`
- Default: `22`
- Description: Specifies the port number to connect on the remote host.
- Type: str
- Required: no
- `ssh_client_roaming`
- Default: `false`
- Description: enable experimental client roaming.
- Type: bool
- Required: no
- `ssh_compression`
- Default: `false`
- Description: Specifies whether server-side compression is enabled after the user has authenticated successfully.
- Type: bool
- Required: no
- `ssh_custom_options`
- Default: `[]`
- Description: Custom lines for SSH client configuration.
- Type: str
- Required: no
- `ssh_custom_selinux_dir`
- Default: `/etc/selinux/local-policies`
- Description: directory where to store the ssh_password policy
- Type: str
- Required: no
- `ssh_deny_groups`
- Default: ``
- Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
- Type: str
- Required: no
- `ssh_deny_users`
- Default: ``
- Description: if specified, login is disallowed for user names that match one of the patterns.
- Type: str
- Required: no
- `ssh_gateway_ports`
- Default: `false`
- Description: Set to `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.
- Type: bool
- Required: no
- `ssh_gssapi_delegation`
- Default: `false`
- Description: Set to `true` to enable GSSAPI credential forwarding.
- Type: bool
- Required: no
- `ssh_gssapi_support`
- Default: `false`
- Description: Set to `true` to enable GSSAPI authentication (both client and server).
- Type: bool
- Required: no
- `ssh_hardening_enabled`
- Default: `true`
- Description: Whether to run the hardening
- Type: bool
- Required: no
- `ssh_host_certificates`
- Default: ``
- Description: Host certificates to look for when starting sshd
- Type: list
- Required: no
- `ssh_host_key_algorithms`
- Default: ``
- Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
- Type: list
- Required: no
- `ssh_host_key_files`
- Default: ``
- Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version.
- Type: list
- Required: no
- `ssh_host_rsa_key_size`
- Default: `4096`
- Description: Specifies the number of bits in the private host RSA key to create.
- Type: str
- Required: no
- `ssh_kerberos_support`
- Default: `true`
- Description: Set to `true` if SSH has Kerberos support.
- Type: bool
- Required: no
- `ssh_kex`
- Default: ``
- Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
- Type: list
- Required: no
- `ssh_listen_to`
- Default: `["0.0.0.0"]`
- Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons
- Type: list
- Required: no
- `ssh_login_grace_time`
- Default: `30s`
- Description: specifies the time allowed for successful authentication to the SSH server.
- Type: str
- Required: no
- `ssh_macs`
- Default: ``
- Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
- Type: list
- Required: no
- `ssh_max_auth_retries`
- Default: `2`
- Description: Specifies the maximum number of authentication attempts permitted per connection.
- Type: str
- Required: no
- `ssh_max_sessions`
- Default: `10`
- Description: Specifies the maximum number of open sessions permitted from a given connection.
- Type: str
- Required: no
- `ssh_max_startups`
- Default: `10:30:60`
- Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
- Type: str
- Required: no
- `ssh_pam_support`
- Default: `true`
- Description: Set to `true` if SSH has PAM support.
- Type: bool
- Required: no
- `ssh_permit_root_login`
- Default: `no`
- Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required!
- Type: str
- Required: no
- `ssh_permit_tunnel`
- Default: `false`
- Description: `true` if SSH Port Tunneling is required.
- Type: bool
- Required: no
- `ssh_print_debian_banner`
- Default: `false`
- Description: Set to `true` to print debian specific banner.
- Type: bool
- Required: no
- `ssh_print_last_log`
- Default: `false`
- Description: Set to `false` to disable display of last login information.
- Type: bool
- Required: no
- `ssh_print_motd`
- Default: `false`
- Description: Set to `false` to disable printing of the MOTD.
- Type: bool
- Required: no
- `ssh_print_pam_motd`
- Default: `false`
- Description: Set to `false` to disable printing of the MOTD via pam (Debian and Ubuntu).
- Type: bool
- Required: no
- `ssh_ps59`
- Default: `sandbox`
- Description: Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.
- Type: str
- Required: no
- `ssh_remote_hosts`
- Default: ``
- Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`
- Type: list
- Required: no
- `ssh_server_accept_env_vars`
- Default: ``
- Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace.
- Type: str
- Required: no
- `ssh_server_config_file`
- Default: `/etc/ssh/sshd_config`
- Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`.
- Type: str
- Required: no
- `ssh_server_enabled`
- Default: `true`
- Description: Set to `false` to disable the opensshd server.
- Type: bool
- Required: no
- `ssh_server_hardening`
- Default: `true`
- Description: `false` to stop harden the server.
- Type: bool
- Required: no
- `ssh_server_match_address`
- Default: ``
- Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
- Type: str
- Required: no
- `ssh_server_match_group`
- Default: ``
- Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
- Type: str
- Required: no
- `ssh_server_match_local_port`
- Default: ``
- Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
- Type: str
- Required: no
- `ssh_server_match_user`
- Default: ``
- Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
- Type: str
- Required: no
- `ssh_server_password_login`
- Default: `false`
- Description: Set to `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`.
- Type: bool
- Required: no
- `ssh_server_permit_environment_vars`
- Default: `no`
- Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global 'yes' or 'no' settings.
- Type: str
- Required: no
- `ssh_server_ports`
- Default: `["22"]`
- Description: ports on which ssh-server should listen.
- Type: list
- Required: no
- `ssh_server_revoked_keys`
- Default: ``
- Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.
- Type: list
- Required: no
- `ssh_trusted_user_ca_keys`
- Default: ``
- Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set.
- Type: list
- Required: no
- `ssh_trusted_user_ca_keys_file`
- Default: ``
- Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates.
- Type: str
- Required: no
- `ssh_use_dns`
- Default: `false`
- Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
- Type: bool
- Required: no
- `ssh_use_pam`
- Default: `true`
- Description: Set to `false` to disable pam authentication.
- Type: bool
- Required: no
- `ssh_x11_forwarding`
- Default: `false`
- Description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding.
- Type: bool
- Required: no
- `sshd_authenticationmethods`
- Default: `publickey`
- Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
- Type: str
- Required: no
- `sshd_custom_options`
- Default: ``
- Description: Custom lines for SSH daemon configuration.
- Type: list
- Required: no
- `sshd_log_level`
- Default: `VERBOSE`
- Description: the verbosity level that is used when logging messages from sshd.
- Type: str
- Required: no
- `sshd_moduli_file`
- Default: `/etc/ssh/moduli`
- Description: path to the SSH moduli file.
- Type: str
- Required: no
- `sshd_moduli_minimum`
- Default: `2048`
- Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam.
- Type: str
- Required: no
- `sshd_strict_modes`
- Default: `true`
- Description: Check file modes and ownership of the user's files and home directory before accepting login.
- Type: bool
- Required: no
- `sshd_syslog_facility`
- Default: `AUTH`
- Description: The facility code that is used when logging messages from sshd.
- Type: str
- Required: no
## Dependencies
@ -431,6 +433,7 @@ None.
roles:
- name: devsec.hardening.ssh_hardening
```
<!-- END_ANSIBLE_DOCS -->
## Configuring settings not listed in role-variables