Functional variables:
| Name | Description | Example value |
|---|---|---|
| sshd_Port_list | list of ports to listen to, for security reason, it is advised to use a privileged port (eg < 1024) to avoid an unprivileged process to take over the sshd port, the default is 22 | [ 122, 1022 ] |
| sshd_ListenAddress_list | list of network addresses to listen to, the default is to listen to all addresses (IPv4 and IPv6) | [ '1.2.3.4', '5.6.7.8' ] |
| sshd_sssd_ldap | use sssd to retreive user pubkey from ldap. Require sssd roles, set to false if sssd is not installed or not in ldap mode | True |
Access control variables:
| Name | Description | Default value |
|---|---|---|
| sshd_AllowGroups_list | list of groups that are allowed to connect using ssh, this is the new parameter that must be used | [ 'root', 'op', 'sysop' ] for containers and [ 'root', 'op', 'sysop', 'localadm' ] for VM and physical machines |
This role have been created so that it passes several security audit tests. As a result, it define a set of secure parameters for:
To easily change the Ciphers, MACs and KexAlgorithms if a vulnerabilty is found, those are defined in the defaults/main.yml file. Never change them via a local variable.
You can see the supported ciphers, macs, kex, etc via ssh -Q query_option, use man ssh for usage.
As an additional security measure, this role handle the RevokedKeys option. This can come in handy if a key is compromised and you want to be sure that it will never work. You can also enfore key rotation this way.
To use this feature, define a list of keys via this variable:
sshd_RevokedKeys_list:
- key1
- key2
To allow some groups to connect to the host only via sftp, you must set this variable to true:
sshd_sftp_enabled: True
This will change the sftp subsystem from /usr/lib/openssh/sftp-server to internal-sftp, which is necessary to achieve the required configuration.
The chroot directory must be only writable by root, this is mandatory else the connection will be refused. This is for security purpose to avoid privilege escalation.
Define the variable sshd_sftp_group_access with a list of groups and the directory for their chroot:
sshd_sftp_group_access:
- name: "somegroup"
ChrootDirectory: "/some/path"
- name: "someothergroup"
ChrootDirectory: "/some/other/path"
This will create those blocks in the /etc/ssh/sshd_config:
# BEGIN sftp configuration for group somegroup {#begin-sftp-configuration-for-group-somegroup}
Match group somegroup
ForceCommand internal-sftp
ChrootDirectory /some/path
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTTY no
# END sftp configuration for group somegroup {#end-sftp-configuration-for-group-somegroup}
# BEGIN sftp configuration for group someothergroup {#begin-sftp-configuration-for-group-someothergroup}
Match group somegroup
ForceCommand internal-sftp
ChrootDirectory /some/other/path
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTTY no
# END sftp configuration for group someothergroup {#end-sftp-configuration-for-group-someothergroup}
Creating a ~/.ssh/authorized_keys file will work correctly with this system and correctly allow the more secure login with public/private key pair.
You still need to allow the groups that will use sftp to connect to the server via the sshd_AllowGroups_list variable.