SSHD Ansible Role¶

An Ansible role to configure the OpenSSH server (sshd) on Debian-based systems.

Features¶

Configure sshd settings (e.g., port, authentication, logging, session behavior)
Install and manage openssh-server
Lightweight validation (checks sshd configuration syntax before applying)

Installation¶

Add the following to your requirements.yml:

roles:
  - name: sshd
    src: https://gitlab.com/niclas-zone/tools/ansible/roles/sshd.git
    version: 1.0.0
    scm: git

Then install:

ansible-galaxy install -r requirements.yml --force

Role Variables¶

Variable	Default Value	Type	Description
`ansible_managed_warning`	`"This file is managed by Ansible. Manual changes will be overwritten."`	string	Text to embed as a header comment when templating files
`ansible_role_repository`	`https://gitlab.com/niclas-zone/tools/ansible/roles/sshd`	string	Repository URL for this role
`sshd_enabled`	`true`	boolean	Whether sshd should be enabled/started
`sshd_include_dir`	`"/etc/ssh/sshd_config.d"`	string	Directory for additional sshd configuration files
`sshd_port`	`22`	integer	Port on which sshd listens
`sshd_address_family`	`"any"`	string	Address family (`any`, `inet`, `inet6`)
`sshd_listen_addresses`	`[]`	list[str]	Specific addresses to bind to (leave empty for defaults)
`sshd_syslog_facility`	`"AUTH"`	string	Facility for syslog logging
`sshd_log_level`	`"INFO"`	string	Logging level
`sshd_login_grace_time`	`"2m"`	string	Time allowed for login before disconnect
`sshd_permit_root_login`	`"no"`	string	Permit root login (`no`, `prohibit-password`, `yes`)
`sshd_strict_modes`	`true`	boolean	Enable strict mode checking of home directory and files
`sshd_max_auth_tries`	`2`	integer	Maximum authentication attempts
`sshd_max_sessions`	`10`	integer	Maximum number of open sessions
`sshd_password_authentication`	`true`	boolean	Enable/disable password authentication
`sshd_pubkey_authentication`	`true`	boolean	Enable/disable public key authentication
`sshd_kbd_interactive_authentication`	`false`	boolean	Enable/disable keyboard-interactive authentication
`sshd_permit_empty_passwords`	`false`	boolean	Permit empty passwords
`sshd_authorized_keys_file`	`[".ssh/authorized_keys", ".ssh/authorized_keys2"]`	list[str]	Paths to authorized keys files
`sshd_authorized_principals_file`	`"none"`	string	Path to authorized principals file
`sshd_authorized_keys_command`	`"none"`	string	Command to retrieve authorized keys
`sshd_authorized_keys_command_user`	`"nobody"`	string	User to run the authorized keys command
`sshd_hostbased_authentication`	`false`	boolean	Enable/disable host-based authentication
`sshd_ignore_user_known_hosts`	`false`	boolean	Ignore user known hosts
`sshd_ignore_rhosts`	`true`	boolean	Ignore `.rhosts` and `.shosts` files
`sshd_kerberos_authentication`	`false`	boolean	Enable/disable Kerberos authentication
`sshd_kerberos_or_local_passwd`	`true`	boolean	Use Kerberos or local password
`sshd_kerberos_ticket_cleanup`	`true`	boolean	Clean up Kerberos tickets
`sshd_kerberos_get_afs_token`	`false`	boolean	Get AFS token when Kerberos is used
`sshd_gssapi_authentication`	`false`	boolean	Enable/disable GSSAPI authentication
`sshd_gssapi_cleanup_credentials`	`true`	boolean	Clean up GSSAPI credentials
`sshd_gssapi_strict_acceptor_check`	`true`	boolean	Enable strict acceptor checking for GSSAPI
`sshd_gssapi_key_exchange`	`false`	boolean	Enable/disable GSSAPI key exchange
`sshd_use_pam`	`true`	boolean	Enable/disable PAM authentication
`sshd_allow_agent_forwarding`	`true`	boolean	Enable/disable agent forwarding
`sshd_allow_tcp_forwarding`	`true`	boolean	Enable/disable TCP forwarding
`sshd_gateway_ports`	`false`	boolean	Enable/disable gateway ports
`sshd_x11_forwarding`	`true`	boolean	Enable/disable X11 forwarding
`sshd_x11_display_offset`	`10`	integer	X11 display offset
`sshd_x11_use_localhost`	`true`	boolean	Use localhost for X11 forwarding
`sshd_permit_tty`	`true`	boolean	Permit TTY
`sshd_print_motd`	`false`	boolean	Print MOTD
`sshd_print_last_log`	`true`	boolean	Print last login
`sshd_tcp_keep_alive`	`true`	boolean	Enable/disable TCP keep-alive
`sshd_permit_user_environment`	`false`	boolean	Permit user environment variables
`sshd_client_alive_interval`	`0`	integer	Interval for client alive messages
`sshd_client_alive_count_max`	`3`	integer	Maximum number of client alive messages
`sshd_use_dns`	`false`	boolean	Enable/disable DNS lookups
`sshd_rekey_limit`	`"default none"`	string	Rekey limit
`sshd_pid_file`	`"/run/sshd.pid"`	string	Path to PID file
`sshd_max_startups`	`"10:30:100"`	string	Maximum startups
`sshd_permit_tunnel`	`false`	boolean	Permit tunneling
`sshd_chroot_directory`	`"none"`	string	Chroot directory
`sshd_version_addendum`	`"none"`	string	Version addendum
`sshd_banner`	`"none"`	string	Path to banner file
`sshd_compression`	`"delayed"`	string	Compression setting
`sshd_accept_env`	see below	list[str]	Environment variables to accept from the client
`sshd_subsystem_sftp`	`"/usr/lib/openssh/sftp-server"`	string	Path to the SFTP subsystem

Default Environment Variables¶

sshd_accept_env:
  - "LANG"
  - "LC_*"
  - "COLORTERM"
  - "NO_COLOR"

Example Playbooks¶

Basic: configure sshd with defaults¶

---
- hosts: servers
  become: true
  roles:
    - role: sshd

Custom sshd settings¶

---
- hosts: servers
  become: true
  roles:
    - role: sshd
      vars:
        sshd_port: 2222
        sshd_permit_root_login: "prohibit-password"
        sshd_password_authentication: false
        sshd_pubkey_authentication: true
        sshd_max_auth_tries: 3
        sshd_max_sessions: 5
        sshd_x11_forwarding: false

Minimal configuration (disable password authentication)¶

---
- hosts: servers
  become: true
  roles:
    - role: sshd
      vars:
        sshd_password_authentication: false
        sshd_pubkey_authentication: true