This Ansible role helps you manage SSHD configurations on your servers easily and efficiently.
All sshd_config options are supported.
Caution
Any changes to SSHD configuration can impact server access and security. Always test new configurations in a staging environment before applying them to production servers.
Important
This role does not configure the firewall or SELinux. To prevent losing access to your server, ensure you use additional roles for firewall and SELinux configurations.
- Ansible 2.9 or higher
- SSHD installed on target systems
Set to false to disable reload of the sshd service. The default is true.
Primary variable for configuring multiple SSHD config files. Each entry in this variable represents a configuration file.
Keyword values yes and no are used as Ansible boolean values.
You can specify a list of keyword values to create multiple lines for the same keyword.
sshd_configd_files:
00-example:
ListenAddress:
- 0.0.0.0
- ::This will be templated as:
ListenAddress 0.0.0.0
ListenAddress ::
If keyword values need to be separated by a comma, specify them as a list or string.
sshd_configd_files:
00-example:
Ciphers:
- aes256-ctr
- aes256-gcm@openssh.com
- chacha20-poly1305@openssh.com
HostKeyAlgorithms: ssh-ed25519,rsa-sha2-512,rsa-sha2-256This will be templated as:
Ciphers aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
To use the Match block, format it as shown below. You can provide a list for the value field if you want the result to be a comma-separated string.
sshd_configd_files:
00-example:
Match:
- criteria: Address
value:
- 192.0.2.0/24
- 192.0.3.0/24
keywords:
PermitRootLogin: without-password
- criteria: Group
value: admins
keywords:
PermitRootLogin: without-password
PasswordAuthentication: trueThis will be templated as:
Match Address 192.0.2.0/24,192.0.3.0/24
PermitRootLogin without-password
Match Group admins
PermitRootLogin without-password
PasswordAuthentication yes
Set to true to cleanup old configuration files in the sshd_config.d directory. The default is false.
This role does not have any dependencies.
- hosts: all
become: true
gather_facts: false
vars:
sshd_configd_files:
10-basic-settings:
PermitRootLogin: false
PasswordAuthentication: true
PubkeyAuthentication: true
20-network-settings:
Port: 2222
ListenAddress:
- 0.0.0.0
- ::
30-security-settings:
AllowUsers:
- alice
- bob
AllowGroups: admin,developers
40-advanced-settings:
MaxSessions: 10
Ciphers: aes256-ctr,aes192-ctr,aes128-ctr
MACs:
- hmac-sha2-256
- hmac-sha2-512
50-match-settings:
Match:
- criteria: Address
value:
- 192.0.2.0/24
- 192.0.3.0/24
keywords:
PermitRootLogin: without-password
- criteria: Group
value: admins
keywords:
PermitRootLogin: without-password
PasswordAuthentication: true
roles:
- mephs.sshdThis will create 5 files on the system with the following contents:
PermitRootLogin no
PasswordAuthentication yes
PubkeyAuthentication yes
Port 2222
ListenAddress 0.0.0.0
ListenAddress ::
AllowUsers alice,bob
AllowGroups admin,developers
MaxSessions 10
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,hmac-sha2-512
Match Address 192.0.2.0/24,192.0.3.0/24
PermitRootLogin without-password
Match Group admins
PermitRootLogin without-password
PasswordAuthentication true
MIT
Created and maintained by Mikhail Vorontsov (@mephs) mvorontsov@tuta.io