modern ciphers/macs/kex. authentication-methods configurable
This commit is contained in:
parent
74eb86db0f
commit
3dd203ad52
2 changed files with 9 additions and 5 deletions
|
@ -3,9 +3,10 @@ is_virt_guest: '{{ansible_virtualization_role == "guest"}}'
|
||||||
is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}'
|
is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}'
|
||||||
sys_default_users: []
|
sys_default_users: []
|
||||||
sshd_permit_root_login: 'prohibit-password'
|
sshd_permit_root_login: 'prohibit-password'
|
||||||
sshd_ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
|
sshd_ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
||||||
sshd_macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
|
sshd_macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
|
||||||
sshd_kex_algorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256'
|
sshd_kex_algorithms: 'sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
|
||||||
sshd_host_keys: [/etc/ssh/ssh_host_ed25519_key, /etc/ssh/ssh_host_rsa_key]
|
sshd_host_keys: /etc/ssh/ssh_host_ed25519_key
|
||||||
|
sshd_pubkey_authentication: 'yes'
|
||||||
sshd_kerberos_authentication: 'no'
|
sshd_kerberos_authentication: 'no'
|
||||||
sshd_gssapi_authentication: 'no'
|
sshd_gssapi_authentication: 'no'
|
||||||
|
|
|
@ -1,9 +1,12 @@
|
||||||
{%if sshd_port is defined %}Port {{sshd_port}}{%endif%}
|
{%if sshd_port is defined %}Port {{sshd_port}}{%endif%}
|
||||||
PermitRootLogin {{sshd_permit_root_login}}
|
PermitRootLogin {{sshd_permit_root_login}}
|
||||||
StrictModes yes
|
StrictModes yes
|
||||||
PubkeyAuthentication yes
|
{%if sshd_pubkey_authentication%}PubkeyAuthentication {{sshd_pubkey_authentication}}{%endif%}
|
||||||
{%if sshd_kerberos_authentication is defined%}KerberosAuthentication {{sshd_kerberos_authentication}}{%endif%}
|
{%if sshd_kerberos_authentication is defined%}KerberosAuthentication {{sshd_kerberos_authentication}}{%endif%}
|
||||||
{%if sshd_gssapi_authentication is defined%}GSSAPIAuthentication {{sshd_gssapi_authentication}}{%endif%}
|
{%if sshd_gssapi_authentication is defined%}GSSAPIAuthentication {{sshd_gssapi_authentication}}{%endif%}
|
||||||
|
{%if sshd_password_authentication is defined%}PasswordAuthentication {{sshd_password_authentication}}{%endif%}
|
||||||
|
{%if sshd_kbdinteractive_authentication is defined%}KBDInteractiveAuthentication {{sshd_kbdinteractive_authentication}}{%endif%}
|
||||||
|
{%if sshd_hostbased_authentication is defined%}HostbasedAuthentication {{sshd_hostbased_authentication}}{%endif%}
|
||||||
TCPKeepAlive yes
|
TCPKeepAlive yes
|
||||||
Ciphers {{sshd_ciphers}}
|
Ciphers {{sshd_ciphers}}
|
||||||
MACs {{sshd_macs}}
|
MACs {{sshd_macs}}
|
||||||
|
|
Loading…
Reference in a new issue