first commit

2024-09-17 00:49:08 +02:00 · 2024-09-17 00:49:08 +02:00 · b2deebfffc
commit b2deebfffc
9 changed files with 234 additions and 0 deletions
--- a/templates/00-sshd.conf.j2
+++ b/templates/00-sshd.conf.j2
@ -0,0 +1,28 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+ChallengeResponseAuthentication no
+UsePAM yes
+PasswordAuthentication no
+PermitRootLogin no
+
+# Allow specific users only
+AllowUsers {% for item in ssh_users %}{{ item.name }} {% endfor %}
+
+# Sicherheit und Allgemeines
+LoginGraceTime 2m
+ClientAliveInterval 600
+StrictModes yes
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+X11Forwarding no
+
+## Ciphers (01.2024, ssh-audit and https://www.ssh.com/academy/ssh/sshd_config#cryptographic-policy)
+# Encryption algorithms (ciphers)
+Ciphers aes256-ctr,aes128-ctr,aes192-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+# Host-key algorithms
+HostKeyAlgorithms rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-dss
+# Key exchange algorithms
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+# Message authentication code (MAC) algorithms
+MACs hmac-sha2-512,hmac-sha2-256
--- a/templates/10_allowed_suoders.j2
+++ b/templates/10_allowed_suoders.j2
@ -0,0 +1,6 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+{% for item in ssh_users %}
+{{ item.name }} ALL=(ALL) NOPASSWD: ALL
+{% endfor %}