debops.sshd default variables

OpenSSH packages

sshd__base_packages

List of base packages that should be installed for OpenSSH support.

sshd__base_packages: [ 'openssh-server', 'openssh-client' ]

List of recommended packages that should be installed with OpenSSH.

sshd__recommended_packages: [ 'openssh-blacklist', 'openssh-blacklist-extra' ]
sshd__optional_packages

List of optional packages that should be installed with OpenSSH.

sshd__optional_packages: [ 'molly-guard' ]
sshd__ldap_packages

List of packages related to LDAP support required by OpenSSH.

sshd__ldap_packages: '{{ [ "ldap-utils" ]
                         if (sshd__authorized_keys_lookup|bool and
                             ("ldap" in sshd__authorized_keys_lookup_type))
                         else [] }}'
sshd__packages

List of additional packages to install.

sshd__packages: []

Host whitelists and allow lists

sshd__whitelist

List of IP addresses or CIDR subnets which should be allowed to connect to SSH without any restrictions. This list does not disallow connections from other hosts. This is a global list.

sshd__whitelist: []
sshd__group_whitelist

List of IP addresses or CIDR subnets which should be allowed to connect to SSH without any restrictions. This list does not disallow connections from other hosts. This is a group-based list.

sshd__group_whitelist: []
sshd__host_whitelist

List of IP addresses or CIDR subnets which should be allowed to connect to SSH without any restrictions. This list does not disallow connections from other hosts. This is a host-based list.

sshd__host_whitelist: []
sshd__allow

List of IP addresses or CIDR subnets that should be allowed to access SSH service. If it's set, access from hosts and networks not specified here is denied in TCP Wrappers and limited in iptables. This is a global list.

sshd__allow: []
sshd__group_allow

List of IP addresses or CIDR subnets that should be allowed to access SSH service. If it's set, access from hosts and networks not specified here is denied in TCP Wrappers and limited in iptables. This is a group list.

sshd__group_allow: []
sshd__host_allow

List of IP addresses or CIDR subnets that should be allowed to access SSH service. If it's set, access from hosts and networks not specified here is denied in TCP Wrappers and limited in iptables. This is a host list.

sshd__host_allow: []

TCP Wrappers configuration

sshd__tcpwrappers_default

If list of allowed hosts is not specified, this value will be set in TCP Wrappers for sshd service. By default any host is allowed to connect.

sshd__tcpwrappers_default: 'ALL'

Firewall (ferm) configuration

sshd__ferm_weight

Specify the "weight" of the sshd firewall rules. The more weight they have, he later in the firewall they will be defined. If you change the default weight, you will need to remove the old rules manually from the remote host.

sshd__ferm_weight: '30'
sshd__ferm_limit

Enable or disable limited SSH access from all hosts in ip(6)tables. Recent new connections are filtered and when too many new connections are created in specified time window, host is added to the recent blocklist.

sshd__ferm_limit: True
sshd__ferm_limit_seconds

Length of the time window used by firewall to catch new offenders, by default 5 minutes.

sshd__ferm_limit_seconds: '{{ (60 * 5) }}'
sshd__ferm_limit_hits

How many new connections to allow in specified time window.

sshd__ferm_limit_hits: '8'
sshd__ferm_limit_chain

Name of the iptables chain used for filtering SSH connections.

sshd__ferm_limit_chain: 'filter-ssh'
sshd__ferm_limit_target

Specify what happens with packets filtered by the firewall that are above the specified limit. Either REJECT, DROP or name of iptables chain where packets will be sent through.

sshd__ferm_limit_target: 'REJECT'
sshd__ferm_ports

List of TCP ports to open in the firewall for SSH connections. You can use port numbers or service names from /etc/services.

sshd__ferm_ports: [ 'ssh' ]

OpenSSH server configuration

sshd__ports

List of ports which sshd will listen on.

sshd__ports: [ '22' ]
sshd__listen

List of IP addresses on which sshd should listen for new connections. If it's empty, sshd listens on all interfaces.

sshd__listen: []
sshd__host_keys

List of SSH host keys that should be enabled, in order of preference.

sshd__host_keys: [ 'ed25519', 'rsa', 'ecdsa' ]
sshd__banner

Path to file which should be displayed before user authentication.

sshd__banner: 'none'
sshd__log_level

How much information should be logged by sshd server.

sshd__log_level: 'INFO'
sshd__permit_root_login

Specify if access to root account should be granted. By default root can be accessed only using SSH public keys.

sshd__permit_root_login: 'without-password'
sshd__password_authentication

Enable or disable password authentication.

sshd__password_authentication: 'no'
sshd__x11_forwarding

Enable or disable X11 forwarding by the server.

sshd__x11_forwarding: 'no'
sshd__max_auth_tries

Maximum number of failed authentication attempts allowed by the server.

sshd__max_auth_tries: '4'
sshd__max_startups

Maximum number of unauthenticated connections (3), after which there's 80% probability of next unauthenticated connection to be dropped, finishing at 7, after which all new unauthenticated connections will be refused.

sshd__max_startups: '3:80:7'
sshd__login_grace_time

Time after which unauthenticated sessions are disconnected.

sshd__login_grace_time: '20s'
sshd__privilege_separation

Specify if sshd should use unprivileged processes for incoming session authentication. Setting this to sandbox enables use of additional kernel restrictions.

sshd__privilege_separation: 'sandbox'
sshd__custom_options

Additional sshd_config(5) options specified in a YAML text block format.

sshd__custom_options: ''

Group-based access control

sshd__allow_groups

List of UNIX groups which allow connections to SSH service (global).

sshd__allow_groups: [ 'root', 'admins', 'sshusers', 'sftponly' ]
sshd__group_allow_groups

List of UNIX groups which allow connections to SSH service (host group).

sshd__group_allow_groups: []
sshd__host_allow_groups

List of UNIX groups which allow connections to SSH service (host).

sshd__host_allow_groups: []

Authorized keys management

sshd__authorized_keys

List of files which contain SSH public keys, to be used to authenticate remote users.

sshd__authorized_keys: '{{ sshd__authorized_keys_system +
                           sshd__authorized_keys_user }}'
sshd__authorized_keys_system

List of system-wide files containing SSH public keys. These files are expected to be maintained by system administrator and might be used in restricted environments (for example SFTPonly accounts).

sshd__authorized_keys_system:
  - '/etc/ssh/authorized_keys/%u'
sshd__authorized_keys_user

List of user files containing SSH public keys. These files are maintained by the users themselves.

sshd__authorized_keys_user:
  - '%h/.ssh/authorized_keys'
  - '%h/.ssh/authorized_keys2'

System-wide host fingerprints

sshd__known_hosts

List of FQDN hostnames that should be scanned to add host fingerprints to the system-wide known hosts file (global).

sshd__known_hosts: []
sshd__group_known_hosts

List of FQDN hostnames that should be scanned to add host fingerprints to the system-wide known hosts file (host group).

sshd__group_known_hosts: []
sshd__host_known_hosts

List of FQDN hostnames that should be scanned to add host fingerprints to the system-wide known hosts file (host).

sshd__host_known_hosts: []
sshd__known_hosts_file

System-wide file where host fingerprints are stored.

sshd__known_hosts_file: '/etc/ssh/ssh_known_hosts'
sshd__known_hosts_command

Command used to scan host fingerprints into system-wide known hosts file.

sshd__known_hosts_command: 'ssh-keyscan -H -T 10'

Encryption parameters

sshd__ciphers_map

Dict with list of ciphers which should be used by the sshd server, depending on available version, ordered from strongest to weakest. Newer version supersedes older version.

sshd__ciphers_map:

  # Source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
  '6.5': [ 'chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com',
           'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr',
           'aes128-ctr' ]

  # Source: https://xivilization.net/~marek/blog/2015/01/12/secure-secure-shell-on-debian-wheezy/
  '6.0': [ 'aes256-ctr', 'aes192-ctr', 'aes128-ctr' ]
sshd__ciphers_additional

List of additional key exchange algorithms which should be used by the sshd server, depending on available version, depending on available version, ordered from stronger to weaker. Newer version supersedes older version.

sshd__ciphers_additional: []
sshd__kex_algorithms_map

Dict with list of key exchange algorithms which should be used by the sshd server, depending on available version, ordered from strongest to oldest. Newer version supersedes older version.

sshd__kex_algorithms_map:

  # Source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
  '6.5': [ 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp521',
           'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256',
           'diffie-hellman-group-exchange-sha256' ]

  # Source: https://xivilization.net/~marek/blog/2015/01/12/secure-secure-shell-on-debian-wheezy/
  '6.0': [ 'diffie-hellman-group-exchange-sha256' ]
sshd__kex_algorithms_additional

List of additional key exchange algorithms which should be used by the sshd server, depending on available version, depending on available version, ordered from stronger to weaker. Newer version supersedes older version.

sshd__kex_algorithms_additional: []
sshd__macs_map

Dict with list of message authentication code algorithms which should be used by the sshd server, depending on available version, ordered from stronger to weaker. Newer version supersedes older version.

sshd__macs_map:

  # Source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
  '6.5': [ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com',
           'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256',
           'umac-128@openssh.com' ]

  # Source: https://xivilization.net/~marek/blog/2015/01/12/secure-secure-shell-on-debian-wheezy/
  '6.0': [ 'hmac-sha2-512', 'hmac-sha2-256' , 'hmac-ripemd160' ]
sshd__macs_additional

List of additional message authentication code algorithms to support by the sshd server, depending on available version, ordered from stronger to weaker. Newer version supersedes older version.

sshd__macs_additional: []
sshd__moduli_minimum

Specify minimum size of Diffie-Hellman parameters available to the SSH server. Parameters smaller than the given amount will be removed from the /etc/ssh/moduli file.

sshd__moduli_minimum: '2048'
sshd__paranoid

If set to True, only the first item (which is considered the strongest method available) from the lists sshd__ciphers_map, sshd__kex_algorithms_map and sshd__macs_map will be configured for sshd. Use this with care as it will deny access to anyone not able to use the first cryptographic method. See https://github.com/debops/ansible-sshd/issues/20

sshd__paranoid: False

Authorized key lookup configuration

sshd__authorized_keys_lookup

Enable support for looking up authorized public keys in external data sources (currently LDAP is supported). This function works only with OpenSSH 6.2+.

sshd__authorized_keys_lookup: False
sshd__authorized_keys_lookup_user

System user account which will be used to look up authorized keys.

sshd__authorized_keys_lookup_user: 'sshd-lookup'
sshd__authorized_keys_lookup_group

System group which will be used to look up authorized keys.

sshd__authorized_keys_lookup_group: 'sshd-lookup'
sshd__authorized_keys_lookup_home

Home directory used by authorized key lookup user.

sshd__authorized_keys_lookup_home: '/var/run/{{ sshd__authorized_keys_lookup_user }}'
sshd__authorized_keys_lookup_type

List of lookup scripts that should be enabled on a host.

sshd__authorized_keys_lookup_type: [ 'ldap' ]

LDAP lookup configuration

sshd__ldap_domain

Base DNS domain to use for LDAP BaseDN generation.

sshd__ldap_domain: '{{ ansible_domain }}'
sshd__ldap_base

LDAP base used for BaseDN generation.

sshd__ldap_base: '{{ "dc=" + sshd__ldap_domain.split(".") | join(",dc=") }}'
sshd__ldap_bind_basedn

LDAP BaseDN of the host account used to bind to the server.

sshd__ldap_bind_basedn: '{{ "ou=Machines," + sshd__ldap_base }}'
sshd__ldap_bind_cn

Host account name in LDAP.

sshd__ldap_bind_cn: 'cn={{ ansible_hostname }}'
sshd__ldap_bind_dn

Machine entry used to bind to the LDAP server.

sshd__ldap_bind_dn: '{{ sshd__ldap_bind_cn + "," + sshd__ldap_bind_basedn }}'
sshd__ldap_bind_basepw

Base path to file with host LDAP password in secret/ directory. See debops.secret Ansible role for more details.

sshd__ldap_bind_basepw: '{{ secret + "/credentials/" +
                            ansible_fqdn + "/ldap/host/binddn/" +
                            sshd__ldap_bind_dn + ".password" }}'
sshd__ldap_bind_pw

Machine password used for binding to LDAP database.

sshd__ldap_bind_pw: '{{ lookup("password", sshd__ldap_bind_basepw +
                        " length=" + sshd__ldap_password_length) }}'
sshd__ldap_bind_pw_file

Path to file which stores machine bind password on remote host.

sshd__ldap_bind_pw_file: '/etc/ssh/ldap_authorized_keys_bindpw'
sshd__ldap_password_length

Length of generated LDAP machine password.

sshd__ldap_password_length: '48'
sshd__ldap_filter

Active ldapsearch filter used to select correct account while looking up the SSH public key.

sshd__ldap_filter: '{{ sshd__ldap_filter_map["service+host"] }}'
sshd__ldap_filter_map

Dict with set of available LDAP filters that can be used to lookup the SSH public key.

sshd__ldap_filter_map:

  # User account needs 'authorizedService' attribute
  'service': '(&(objectClass=posixAccount)(uid=$username)(authorizedService=$service))'

  # User account needs 'host' attribute
  'host': '(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*.$domain)(host=\\*)))'

  # User account needs both 'authorizedService' and 'host' attributes.
  'service+host': '(&(objectClass=posixAccount)(uid=$username)(authorizedService=$service)(|(host=$hostname)(host=$fqdn)(host=\\*.$domain)(host=\\*)))'

Match conditional blocks

sshd__match_list

List of conditional Match blocks to include in sshd_config. Required parameters:

  • match: specify User, Group, or other Match arguments which should activate a given configuration block.
  • options: YAML text block which contains sshd_config(5) options active in a given Match block.
sshd__match_list: [ '{{ sshd__match_group_sftponly }}' ]
sshd__match_group_sftponly

Default Match conditional block which defines configuration for SFTPonly accounts.

sshd__match_group_sftponly:
  match: 'Group sftponly'
  options: |
    AuthorizedKeysFile {{ sshd__authorized_keys_system | join(' ') }}
    ChrootDirectory %h
    X11Forwarding no
    AllowAgentForwarding no
    AllowTcpForwarding no
    PermitTunnel no
    ForceCommand internal-sftp

Configuration of other services

sshd__apt_preferences__dependent_list

List of apt_preferences(5) rules. This is used to change what package versions are installed on a particular distribution.

sshd__apt_preferences__dependent_list:

  - package: 'ssh ssh-* openssh-*'
    backports: [ 'wheezy' ]
    reason:  'Version parity with Debian Jessie, support for AuthorizedKeysCommand, better ciphers'
    by_role: 'debops.sshd'
sshd__ferm__dependent_rules:

Configuration for iptables firewall managed by ferm.

sshd__ferm__dependent_rules:

  - type: 'accept'
    dport: '{{ sshd__ferm_ports }}'
    weight: '{{ sshd__ferm_weight }}'
    role: 'sshd'
    role_weight: '10'
    name: 'jump-filter-ssh'
    target: '{{ sshd__ferm_limit_chain }}'
    when: '{{ sshd__ferm_limit | bool }}'
    delete: '{{ not sshd__ferm_limit | bool }}'

  - chain: '{{ sshd__ferm_limit_chain if sshd__ferm_limit | bool else "INPUT" }}'
    type: 'accept'
    dport: '{{ sshd__ferm_ports }}'
    saddr: '{{ sshd__whitelist + sshd__group_whitelist + sshd__host_whitelist }}'
    weight: '{{ sshd__ferm_weight }}'
    role: 'sshd'
    role_weight: '20'
    name: 'whitelist'
    subchain: False
    accept_any: False

  - chain: '{{ sshd__ferm_limit_chain if sshd__ferm_limit | bool else "INPUT" }}'
    type: 'accept'
    dport: '{{ sshd__ferm_ports }}'
    saddr: '{{ sshd__allow + sshd__group_allow + sshd__host_allow }}'
    weight: '{{ sshd__ferm_weight }}'
    role: 'sshd'
    role_weight: '30'
    name: 'allow'
    subchain: False
    accept_any: '{{ False if sshd__ferm_limit | bool else True }}'

  - chain: '{{ sshd__ferm_limit_chain }}'
    type: 'recent'
    weight: '{{ sshd__ferm_weight }}'
    role: 'sshd'
    role_weight: '40'
    name: 'block-ssh'
    dport: '{{ sshd__ferm_ports }}'
    state: [ 'NEW' ]
    subchain: False
    recent_name: 'ssh-new'
    recent_update: True
    recent_seconds: '{{ sshd__ferm_limit_seconds }}'
    recent_hitcount: '{{ sshd__ferm_limit_hits }}'
    recent_target: 'REJECT'
    when: '{{ sshd__ferm_limit | bool }}'
    delete: '{{ not sshd__ferm_limit | bool }}'

  - chain: '{{ sshd__ferm_limit_chain }}'
    type: 'recent'
    weight: '{{ sshd__ferm_weight }}'
    role: 'sshd'
    role_weight: '50'
    name: 'mark-ssh'
    dport: '{{ sshd__ferm_ports }}'
    state: [ 'NEW' ]
    subchain: False
    recent_set_name: 'ssh-new'
    recent_log: False
    when: '{{ sshd__ferm_limit | bool }}'
    delete: '{{ not sshd__ferm_limit | bool }}'

  - chain: '{{ sshd__ferm_limit_chain }}'
    type: 'accept'
    weight: '{{ sshd__ferm_weight }}'
    role: 'sshd'
    role_weight: '60'
    name: 'ssh'
    dport: '{{ sshd__ferm_ports }}'
    when: '{{ sshd__ferm_limit | bool }}'
    delete: '{{ not sshd__ferm_limit | bool }}'
sshd__tcpwrappers__dependent_allow

Configure TCP wrappers to allow access to the sshd daemon.

sshd__tcpwrappers__dependent_allow:

  - daemon: 'sshd'
    client: '{{ sshd__whitelist + sshd__group_whitelist + sshd__host_whitelist }}'
    accept_any: '{{ False if (sshd__allow + sshd__group_allow + sshd__host_allow) else True }}'
    weight: '25'
    filename: 'sshd_dependent_whitelist'
    comment: 'Whitelist of hosts allowed to connect to ssh'

  - daemon: 'sshd'
    client: '{{ sshd__allow + sshd__group_allow + sshd__host_allow }}'
    default: '{{ sshd__tcpwrappers_default }}'
    accept_any: '{{ True if (sshd__whitelist + sshd__group_whitelist + sshd__host_whitelist) else False }}'
    weight: '30'
    filename: 'sshd_dependent_allow'
    comment: 'List of hosts allowed to connect to ssh'