modern ciphers/macs/kex. authentication-methods configurable

This commit is contained in:
Denis Knauf 2024-03-24 22:17:14 +01:00
parent 74eb86db0f
commit 3dd203ad52
2 changed files with 9 additions and 5 deletions

View file

@ -3,9 +3,10 @@ is_virt_guest: '{{ansible_virtualization_role == "guest"}}'
is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}' is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}'
sys_default_users: [] sys_default_users: []
sshd_permit_root_login: 'prohibit-password' sshd_permit_root_login: 'prohibit-password'
sshd_ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' sshd_ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
sshd_macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' sshd_macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
sshd_kex_algorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256' sshd_kex_algorithms: 'sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
sshd_host_keys: [/etc/ssh/ssh_host_ed25519_key, /etc/ssh/ssh_host_rsa_key] sshd_host_keys: /etc/ssh/ssh_host_ed25519_key
sshd_pubkey_authentication: 'yes'
sshd_kerberos_authentication: 'no' sshd_kerberos_authentication: 'no'
sshd_gssapi_authentication: 'no' sshd_gssapi_authentication: 'no'

View file

@ -1,9 +1,12 @@
{%if sshd_port is defined %}Port {{sshd_port}}{%endif%} {%if sshd_port is defined %}Port {{sshd_port}}{%endif%}
PermitRootLogin {{sshd_permit_root_login}} PermitRootLogin {{sshd_permit_root_login}}
StrictModes yes StrictModes yes
PubkeyAuthentication yes {%if sshd_pubkey_authentication%}PubkeyAuthentication {{sshd_pubkey_authentication}}{%endif%}
{%if sshd_kerberos_authentication is defined%}KerberosAuthentication {{sshd_kerberos_authentication}}{%endif%} {%if sshd_kerberos_authentication is defined%}KerberosAuthentication {{sshd_kerberos_authentication}}{%endif%}
{%if sshd_gssapi_authentication is defined%}GSSAPIAuthentication {{sshd_gssapi_authentication}}{%endif%} {%if sshd_gssapi_authentication is defined%}GSSAPIAuthentication {{sshd_gssapi_authentication}}{%endif%}
{%if sshd_password_authentication is defined%}PasswordAuthentication {{sshd_password_authentication}}{%endif%}
{%if sshd_kbdinteractive_authentication is defined%}KBDInteractiveAuthentication {{sshd_kbdinteractive_authentication}}{%endif%}
{%if sshd_hostbased_authentication is defined%}HostbasedAuthentication {{sshd_hostbased_authentication}}{%endif%}
TCPKeepAlive yes TCPKeepAlive yes
Ciphers {{sshd_ciphers}} Ciphers {{sshd_ciphers}}
MACs {{sshd_macs}} MACs {{sshd_macs}}