diff --git a/ssh-server/files/ssh_config b/ssh-server/files/ssh_config
new file mode 100644
index 0000000000000000000000000000000000000000..7f43866f5ce2e8b70b182e842901c49644caf887
--- /dev/null
+++ b/ssh-server/files/ssh_config
@@ -0,0 +1,53 @@
+
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
+# ForwardAgent no
+# ForwardX11 no
+# ForwardX11Trusted yes
+# PasswordAuthentication yes
+# HostbasedAuthentication no
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
+# BatchMode no
+# CheckHostIP yes
+# AddressFamily any
+# ConnectTimeout 0
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
+# Port 22
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# RekeyLimit 1G 1h
+# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+ SendEnv LANG LC_*
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh-server/files/ssh_config.d/gssapi.conf b/ssh-server/files/ssh_config.d/gssapi.conf
new file mode 100644
index 0000000000000000000000000000000000000000..cf530e7e12f5c06c0fa96bd8f5dec7df42aca2e0
--- /dev/null
+++ b/ssh-server/files/ssh_config.d/gssapi.conf
@@ -0,0 +1,2 @@
+Host *
+ GSSAPIDelegateCredentials no
diff --git a/ssh-server/files/ssh_config.d/sshfp.conf b/ssh-server/files/ssh_config.d/sshfp.conf
new file mode 100644
index 0000000000000000000000000000000000000000..4bc4d595372ac5506a501e71fa83ece257c89914
--- /dev/null
+++ b/ssh-server/files/ssh_config.d/sshfp.conf
@@ -0,0 +1,2 @@
+Host *
+ VerifyHostKeyDNS yes
diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index 24cd1f87e5ed819414b4b5448251dad810dc9f30..ef491fdfec4e73bb932dfc437aabb84a387af5a5 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -8,21 +8,58 @@
tags:
- ssh
-- name: ensure sshd is configured
+- name: ensure sshd is configured (old-style)
template:
- src: sshd_config.j2
+ src: sshd_config_old_style.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
backup: true
validate: '/usr/sbin/sshd -t -f %s'
+ when: ansible_distribution_major_version|int(default=99) < 11
notify:
- restart sshd
tags:
- ssh
-- name: ensure ssh is configured
+- name: ensure sshd is configured (main)
+ template:
+ src: sshd_config_main.j2
+ dest: /etc/ssh/sshd_config
+ owner: root
+ group: root
+ mode: '0644'
+ backup: true
+ validate: '/usr/sbin/sshd -t -f %s'
+ when: ansible_distribution_major_version|int(default=99) > 10
+ notify:
+ - restart sshd
+ tags:
+ - ssh
+
+- name: ensure sshd is configured (drop-ins)
+ template:
+ src: "sshd_config.d/{{ item }}.j2"
+ dest: "/etc/ssh/sshd_config.d/{{ item }}"
+ owner: root
+ group: root
+ mode: '0644'
+ backup: true
+ validate: '/usr/sbin/sshd -t -f %s'
+ when: ansible_distribution_major_version|int(default=99) > 10
+ with_items:
+ - authentication.conf
+ - banner.conf
+ - ciphers.conf
+ - forwarding.conf
+ - groups.conf
+ notify:
+ - restart sshd
+ tags:
+ - ssh
+
+- name: ensure ssh is configured (old-style)
template:
src: ssh_config.j2
dest: /etc/ssh/ssh_config
@@ -30,6 +67,34 @@
group: root
mode: '0644'
backup: true
+ when: ansible_distribution_major_version|int(default=99) < 11
+ tags:
+ - ssh
+
+- name: ensure ssh is configured (main)
+ copy:
+ src: ssh_config
+ dest: /etc/ssh/ssh_config
+ owner: root
+ group: root
+ mode: '0644'
+ backup: true
+ when: ansible_distribution_major_version|int(default=99) > 10
+ tags:
+ - ssh
+
+- name: ensure ssh is configured (drop-ins)
+ copy:
+ src: "ssh_config.d/{{ item }}"
+ dest: "/etc/ssh/ssh_config.d/{{ item }}"
+ owner: root
+ group: root
+ mode: '0644'
+ backup: true
+ when: ansible_distribution_major_version|int(default=99) > 10
+ with_items:
+ - gssapi.conf
+ - sshfp.conf
tags:
- ssh
diff --git a/ssh-server/templates/sshd_config.d/authentication.conf.j2 b/ssh-server/templates/sshd_config.d/authentication.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..48c51a500cb34d0e5ad4d25442a387ffb8a293bb
--- /dev/null
+++ b/ssh-server/templates/sshd_config.d/authentication.conf.j2
@@ -0,0 +1,2 @@
+PasswordAuthentication {{ 'yes' if ssh_password_auth else 'no' }}
+GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
diff --git a/ssh-server/templates/sshd_config.d/banner.conf.j2 b/ssh-server/templates/sshd_config.d/banner.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c426ec4eba9d21188125788679b72b408946f47b
--- /dev/null
+++ b/ssh-server/templates/sshd_config.d/banner.conf.j2
@@ -0,0 +1 @@
+Banner /etc/issue.net
diff --git a/ssh-server/templates/sshd_config.d/ciphers.conf.j2 b/ssh-server/templates/sshd_config.d/ciphers.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c01c088972432cbfb180a2226c2e040f9284abcd
--- /dev/null
+++ b/ssh-server/templates/sshd_config.d/ciphers.conf.j2
@@ -0,0 +1,9 @@
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+{% if ssh_strong_crypto %}
+HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+{% endif %}
diff --git a/ssh-server/templates/sshd_config.d/forwarding.conf.j2 b/ssh-server/templates/sshd_config.d/forwarding.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6570f3af40c73ede3ff328acd8bea90ed340a139
--- /dev/null
+++ b/ssh-server/templates/sshd_config.d/forwarding.conf.j2
@@ -0,0 +1 @@
+DisableForwarding {{ 'no' if ssh_allow_forwarding else 'yes' }}
diff --git a/ssh-server/templates/sshd_config.d/groups.conf.j2 b/ssh-server/templates/sshd_config.d/groups.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6826a365e97b416434447323d25182569424ad7c
--- /dev/null
+++ b/ssh-server/templates/sshd_config.d/groups.conf.j2
@@ -0,0 +1,3 @@
+{% for group in ssh_allow_groups %}
+AllowGroups {{ group }}
+{% endfor %}
diff --git a/ssh-server/templates/sshd_config_main.j2 b/ssh-server/templates/sshd_config_main.j2
new file mode 100644
index 0000000000000000000000000000000000000000..573b63e5674f4e4fbba7c9a5fc858395c99988f9
--- /dev/null
+++ b/ssh-server/templates/sshd_config_main.j2
@@ -0,0 +1,123 @@
+# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server{{ ' ' ~ ssh_sftp_options if ssh_sftp_options|length > 0 else '' }}
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
diff --git a/ssh-server/templates/sshd_config.j2 b/ssh-server/templates/sshd_config_old_style.j2
similarity index 95%
rename from ssh-server/templates/sshd_config.j2
rename to ssh-server/templates/sshd_config_old_style.j2
index da568b9854f74d00492a5072c0ef7aaee42de722..93f4ad6255f3682e136d64aecbefad5381dc603f 100644
--- a/ssh-server/templates/sshd_config.j2
+++ b/ssh-server/templates/sshd_config_old_style.j2
@@ -15,9 +15,8 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
-{# deprecated option in buster #}
-{% if ansible_distribution_major_version|int < 10 %}
-#Privilege Separation is turned on for security
+
+{% if ansible_distribution_major_version|int(default=99) < 10 %}
UsePrivilegeSeparation yes
{% endif %}