ghost-automation/ds_ssh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
DeadSwitch de92f6f911
All checks were successful
Test the role / test-the-role (push) Successful in 7s
Details
Linting and CI.
2026-02-20 12:16:01 +01:00
.gitea/workflows
Linting and CI.
2026-02-20 12:16:01 +01:00
defaults
Rewrote the SSH role.
2026-02-20 11:33:03 +01:00
handlers
Rewrote the SSH role.
2026-02-20 11:33:03 +01:00
tasks
Rewrote the SSH role.
2026-02-20 11:33:03 +01:00
templates
Rewrote the SSH role.
2026-02-20 11:33:03 +01:00
README.org
Readme update.
2026-02-20 11:34:45 +01:00

README.org

SSH Role

ds_ssh

This role deploys and manages openssh. It provides hardened but safe defaults while allowing further overrides.

Defaults 

sshd_package_name: openssh-server
sshd_service_name: ssh
sshd_config_owner: root
sshd_config_group: root
sshd_config_mode: "0644"
sshd_port: 22
sshd_protocol: 2

sshd_permit_root_login: "prohibit-password"
sshd_password_authentication: "yes"
sshd_x11_forwarding: "no"
sshd_allow_tcp_forwarding: "no"
sshd_max_auth_tries: 3
sshd_login_grace_time: 30

sshd_challenge_response: "no"
sshd_kbd_interactive_auth: "no"
sshd_client_alive_interval: 300
sshd_client_alive_count_max: 0

sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

sshd_kex_algorithms:
  - curve25519-sha256
  - curve25519-sha256@libssh.org
  - ecdh-sha2-nistp521
  - ecdh-sha2-nistp384
  - ecdh-sha2-nistp256

Features

  • Installs and enables the OpenSSH server.
  • Manages /etc/ssh/sshd_config from a template.
  • Manages /etc/ssh/sshd_config.d/10-harden.conf for hardening.
  • Provides hardened defaults, safe for most environments.
  • Centralized variables for customization.

SSHD Hardening

The sshd hardening configuration goes into /etc/ssh/sshd_config.d/10-harden.conf.

Variables

Variable Type Default Comment
sshd_package_name string openssh-server Package name.
sshd_service_name string ssh SSH service name.
sshd_config_owner string root SSH config file owner.
sshd_config_group string root SSH config file group.
sshd_config_mode string 0644 SSH config file permissions.
sshd_port integer 22 SSHD listen port.
sshd_harden boolean yes Enables to deploy a hardened SSHD configuration.
sshd_protocol integer 2 SSH protocol version.
sshd_permit_root_login string prohibit-password Controls root login method.
sshd_password_authentication boolean yes Enables or disables password authentication.
sshd_x11_forwarding boolean no Enables or disables X11 forwarding.
sshd_max_auth_tries integer 3 Maximum authentication attempts per session.
sshd_login_grace_time integer 30 Login time limit (seconds).
sshd_challenge_response boolean no Enables or disables challengeresponse auth.
sshd_kbd_interactive_auth boolean no Enables or disables keyboard-interactive auth.
sshd_client_alive_interval integer 300 Server keepalive interval (seconds).
sshd_client_alive_count_max integer 0 Max missed keepalive replies before disconnect.
sshd_allow_tcp_forwarding boolean no Enables or disables TCP forwarding.
sshd_ciphers list See defaults Allowed encryption ciphers.
sshd_kex_algorithms list See defaults Allowed key-exchange algorithms.
sshd_allowgroups list - Allowed groups for SSH login.
sshd_allowusers list - Allowed users for SSH login.

Example

Include it in your playbook:

- hosts: servers
  roles:
    - role: ds_ssh
      vars:
        sshd_port: 2222
        sshd_permit_root_login: "no"
        sshd_password_authentication: "no"
        sshd_max_auth_tries: 2
        sshd_client_alive_interval: 120
        sshd_allowgroups:
          - ansible
          - sudo
        sshd_allowusers:
          - switch

License

MIT.

[Fear the Silence. Fear the Switch.]

Reference in New Issue View Git Blame Copy Permalink
Description
Ansible role that manages the SSHD server.
Readme 36 KiB
Languages
Jinja 100%