# Optional variables Functional variables: | Name | Description | Example value | |-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------| | sshd_Port_list | list of ports to listen to, for security reason, it is advised to use a privileged port (eg < 1024) to avoid an unprivileged process to take over the sshd port, the default is 22 | `[ 122, 1022 ]` | | sshd_ListenAddress_list | list of network addresses to listen to, the default is to listen to all addresses (IPv4 and IPv6) | `[ '1.2.3.4', '5.6.7.8' ]` | | sshd_sssd_ldap | use sssd to retreive user pubkey from ldap. Require sssd roles, set to false if sssd is not installed or not in ldap mode | `True` | Access control variables: | Name | Description | Default value | |-----------------------|---------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------| | sshd_AllowGroups_list | list of groups that are allowed to connect using ssh, this is the new parameter that must be used | `[ 'root', 'op', 'sysop' ]` for containers and `[ 'root', 'op', 'sysop', 'localadm' ]` for VM and physical machines | # Security This role have been created so that it passes several security audit tests. As a result, it define a set of secure parameters for: - Ciphers - MACs - KexAlgorithms (this changes between versions) - TCPKeepAlive - ClientAliveCountMax - ClientAliveInterval To easily change the `Ciphers`, `MACs` and `KexAlgorithms` if a vulnerabilty is found, those are defined in the defaults/main.yml file. *Never change them via a local variable.* You can see the supported ciphers, macs, kex, etc via `ssh -Q query_option`, use `man ssh` for usage. ## Handling of revoked keys As an additional security measure, this role handle the `RevokedKeys` option. This can come in handy if a key is compromised and you want to be sure that it will never work. You can also enfore key rotation this way. To use this feature, define a list of keys via this variable: ``` sshd_RevokedKeys_list: - key1 - key2 ``` # Allow some groups to only uses sftp To allow some groups to connect to the host only via sftp, you must set this variable to true: ``` sshd_sftp_enabled: True ``` This will change the sftp subsystem from `/usr/lib/openssh/sftp-server` to `internal-sftp`, which is necessary to achieve the required configuration. ## SFTP: Define accesses The chroot directory must be only writable by root, this is mandatory else the connection will be refused. This is for security purpose to avoid privilege escalation. Define the variable `sshd_sftp_group_access` with a list of groups and the directory for their chroot: ``` sshd_sftp_group_access: - name: "somegroup" ChrootDirectory: "/some/path" - name: "someothergroup" ChrootDirectory: "/some/other/path" ``` This will create those blocks in the /etc/ssh/sshd_config: ``` # BEGIN sftp configuration for group somegroup Match group somegroup ForceCommand internal-sftp ChrootDirectory /some/path PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no PermitTTY no # END sftp configuration for group somegroup # BEGIN sftp configuration for group someothergroup Match group somegroup ForceCommand internal-sftp ChrootDirectory /some/other/path PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no PermitTTY no # END sftp configuration for group someothergroup ``` Creating a ~/.ssh/authorized_keys file will work correctly with this system and correctly allow the more secure login with public/private key pair. You still need to allow the groups that will use sftp to connect to the server via the `sshd_AllowGroups_list` variable.