roles/sshd: Configure OpenSSH daemon

The *sshd* role can be used to configure the OpenSSH daemon. It supports
configuring a few options globally, as well as a limited set of options
in `Match` blocks (e.g. per-user/group configuration).

roles/sshd/defaults/main.yml

@@ -0,0 +1,5 @@
+sshd_permit_root_login: true
+sshd_password_authentication: true
+sshd_gssapi_authentication: true
+sshd_x11_forwarding: true
+sshd_config_matches: []

roles/sshd/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart sshd
+  service:
+    name=sshd
+    state=restarted

roles/sshd/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: ensure sshd is configured
+  template:
+    src=sshd_config.j2
+    dest=/etc/ssh/sshd_config
+    mode=0600
+  notify: restart sshd

roles/sshd/templates/sshd_config.j2

@@ -0,0 +1,174 @@
+{% macro yesno(v) %}{{ 'yes' if v|bool else 'no' }}{% endmacro %}
+#	$OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# System-wide Crypto policy:
+# If this system is following system-wide crypto policy, the changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ yesno(sshd_permit_root_login) }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication {{ yesno(sshd_password_authentication) }}
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication {{ yesno(sshd_gssapi_authentication) }}
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+UsePAM yes
+
+{% if sshd_agent_forwarding is defined %}
+AllowAgentForwarding {{ yesno(sshd_agent_forwarding) }}
+{% else %}
+#AllowAgentForwarding yes
+{% endif %}
+{% if sshd_tcp_forwarding is defined %}
+AllowTcpForwarding {{ yesno(sshd_tcp_forwarding) }}
+{% else %}
+#AllowTcpForwarding yes
+{% endif %}
+#GatewayPorts no
+X11Forwarding {{ yesno(sshd_x11_forwarding) }}
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+{% for match in sshd_config_matches %}
+
+Match {{ match.object }} {{ match.pattern }}
+{% if match.password_auth is defined %}
+	PasswordAuthentication {{ yesno(match.password_auth) }}
+{% endif %}
+{% if match.agent_forwarding is defined %}
+	AllowAgentForwarding {{ yesno(match.agent_forwarding) }}
+{% endif %}
+{% if match.tcp_forwarding is defined %}
+	AllowTcpForwarding {{ yesno(match.tcp_forwarding) }}
+{% endif %}
+{% if match.permit_tty is defined %}
+	PermitTTY {{ yesno(match.permit_tty) }}
+{% endif %}
+{% if match.force_command is defined %}
+	ForceCommand {{ match.force_command }}
+{% endif %}
+{% endfor %}