From c4b5e49f6e4b4a31c0c278e464c690823c0ad4fd Mon Sep 17 00:00:00 2001 From: bnewbold Date: Fri, 15 Apr 2016 14:54:47 -0400 Subject: common: SSH authentication clarification --- roles/common/defaults/main.yml | 3 ++- roles/common/templates/etc_ssh_sshd_config.j2 | 5 +---- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'roles') diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 642f58e..f77cc3f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -18,7 +18,8 @@ ssh_kex_algorithms: "diffie-hellman-group-exchange-sha256" ssh_ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" ssh_macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" sshd_allow_passwd: "no" -sshd_print_motd: "yes" +sshd_allow_chall_resp: "no" +sshd_print_motd: "no" sshd_allow_root: "without-password" sshd_forward_x11: "yes" diff --git a/roles/common/templates/etc_ssh_sshd_config.j2 b/roles/common/templates/etc_ssh_sshd_config.j2 index d9978e0..c0797a3 100644 --- a/roles/common/templates/etc_ssh_sshd_config.j2 +++ b/roles/common/templates/etc_ssh_sshd_config.j2 @@ -21,7 +21,6 @@ MACs {{ ssh_macs }} # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -#ServerKeyBits 768 ServerKeyBits 1024 # Logging @@ -51,8 +50,7 @@ PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -# ChallengeResponseAuthentication no -ChallengeResponseAuthentication yes +ChallengeResponseAuthentication {{ sshd_allow_chall_resp }} # Change to no to disable tunnelled clear text passwords PasswordAuthentication {{ sshd_allow_passwd }} @@ -92,4 +90,3 @@ Subsystem sftp /usr/lib/openssh/sftp-server # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes - -- cgit v1.2.3