From 4af7ef3b135af5cf452433150da78a8ce9729a24 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Mon, 14 Aug 2023 22:28:00 +0200 Subject: add sshd role --- roles/sshd/templates/sshd_config | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 roles/sshd/templates/sshd_config (limited to 'roles/sshd/templates') diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config new file mode 100644 index 0000000..6963c88 --- /dev/null +++ b/roles/sshd/templates/sshd_config @@ -0,0 +1,29 @@ +# Parameters that have sane defaults on Debian 11 are omitted. + +{% set ssh_port = hostvars[inventory_hostname].ansible_port %} +{% set ssh_user = hostvars[inventory_hostname].ansible_user %} + +{% set groups = [ssh_user] + ssh_allowed_groups %} +{% set groups = groups | sort | unique %} + +Port {{ ssh_port }} + +# Whitelist users: +PermitRootLogin no +AllowGroups {{ groups | join(' ') }} + +# Only public key authentication: +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Miscellaneous: +PrintMotd no +Subsystem sftp /usr/lib/openssh/sftp-server -- cgit v1.2.3