Skip to content

Latest commit

 

History

History
75 lines (53 loc) · 2.01 KB

README.md

File metadata and controls

75 lines (53 loc) · 2.01 KB

Secure SSH

This document describes some simple steps that improve the security of your SSH installation. That steps are include:

  • Disable the empty password login. Empty password is a very bad idea.

  • Disable remote root login. The preferred way to gain root permissions is use su or sudo command.

  • Add your identity key to ~/.ssh/authorized_keys on remote host for passwordless login.

  • Disable password login (done only if previous step is successful).

  • Enable PAM.

Role Variables

The desired behavior can be refined via variables.

Option Description
sshd Name of ssh daemon, default is ssh.
sshd_config Path to ssh daemon config, default is /etc/ssh/sshd_config.
ssh_identity_key Path to your identity key. Added to ~/.ssh/authorized_keys on remote host if both ssh_identity_key and ssh_user are defined. Default is undefined.
ssh_user Username on remote host whose authorized keys will be modified. Uses only if ssh_identity_key is defined. Default is undefined.

For example, you can override default variables by passing it as a parameter to the role like so:

roles:
    - { role: ., ssh_user: vital, ssh_identity_key: /home/vital/.ssh/id_rsa.pub }

Or send them via command line:

ansible-playbook test.yml --extra-vars "sshd_config=/etc/sshd_config"

Example Playbook

The example below uses sudo to play book on your localhost via local connection.

ansible-playbook test.yml \
    -i hosts.example \
    -c local \
    -s --ask-sudo-pass
# file: test.yml
- hosts: local
  roles:
    - { role: ., sshd: ssh, sshd_config: /etc/sshd_config }

License

Licensed under the MIT license.

Author Information

Created by Vital Kudzelka.

Don't hesitate create a GitHub Issue if you have any bugs or suggestions.