veza/ansible/roles/openssh-server/readme.md

# Optional variables

Functional variables:

| Name                    | Description                                                                                                                                                                        | Example value              |
|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|
| sshd_Port_list          | list of ports to listen to, for security reason, it is advised to use a privileged port (eg < 1024) to avoid an unprivileged process to take over the sshd port, the default is 22 | `[ 122, 1022 ]`            |
| sshd_ListenAddress_list | list of network addresses to listen to, the default is to listen to all addresses (IPv4 and IPv6)                                                                                  | `[ '1.2.3.4', '5.6.7.8' ]` |
| sshd_sssd_ldap          | use sssd to retreive user pubkey from ldap. Require sssd roles, set to false if sssd is not installed or not in ldap mode                                                          | `True`                     |

Access control variables:

| Name                  | Description                                                                                       | Default value                                                                                                       |
|-----------------------|---------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| sshd_AllowGroups_list | list of groups that are allowed to connect using ssh, this is the new parameter that must be used | `[ 'root', 'op', 'sysop' ]` for containers and `[ 'root', 'op', 'sysop', 'localadm' ]` for VM and physical machines |

# Security
This role have been created so that it passes several security audit tests. As a result, it define a set of secure parameters for:
- Ciphers
- MACs
- KexAlgorithms (this changes between versions)
- TCPKeepAlive
- ClientAliveCountMax
- ClientAliveInterval

To easily change the `Ciphers`, `MACs` and `KexAlgorithms` if a vulnerabilty is found, those are defined in the defaults/main.yml file. *Never change them via a local variable.*

You can see the supported ciphers, macs, kex, etc via `ssh -Q query_option`, use `man ssh` for usage.

## Handling of revoked keys
As an additional security measure, this role handle the `RevokedKeys` option. This can come in handy if a key is compromised and you want to be sure that it will never work. You can also enfore key rotation this way.

To use this feature, define a list of keys via this variable:
```
sshd_RevokedKeys_list:
  - key1
  - key2
```

# Allow some groups to only uses sftp
To allow some groups to connect to the host only via sftp, you must set this variable to true:
```
sshd_sftp_enabled: True
```
This will change the sftp subsystem from `/usr/lib/openssh/sftp-server` to `internal-sftp`, which is necessary to achieve the required configuration.

## SFTP: Define accesses
The chroot directory must be only writable by root, this is mandatory else the connection will be refused. This is for security purpose to avoid privilege escalation.

Define the variable `sshd_sftp_group_access` with a list of groups and the directory for their chroot:
```
sshd_sftp_group_access:
  - name: "somegroup"
    ChrootDirectory: "/some/path"
  - name: "someothergroup"
    ChrootDirectory: "/some/other/path"
```
This will create those blocks in the /etc/ssh/sshd_config:
```
# BEGIN sftp configuration for group somegroup
Match group somegroup
    ForceCommand internal-sftp
    ChrootDirectory /some/path
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    PermitTTY no
# END sftp configuration for group somegroup
# BEGIN sftp configuration for group someothergroup
Match group somegroup
    ForceCommand internal-sftp
    ChrootDirectory /some/other/path
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    PermitTTY no
# END sftp configuration for group someothergroup
```
Creating a ~/.ssh/authorized_keys file will work correctly with this system and correctly allow the more secure login with public/private key pair.

You still need to allow the groups that will use sftp to connect to the server via the `sshd_AllowGroups_list` variable.