path: root/roles
diff options
authorLars Wirzenius <>2022-08-02 09:34:24 +0300
committerLars Wirzenius <>2022-08-02 09:34:24 +0300
commit025f29b350eae4e13ef30c1513c3705ab56b09fa (patch)
tree7a368dd94535b4dcc1040e15c79a13a0b639aefa /roles
parent66e7ecebce239a3c59696786fb776f5d729831b1 (diff)
docs: document the `sshd` role variables
Sponsored-by: author
Diffstat (limited to 'roles')
1 files changed, 17 insertions, 0 deletions
diff --git a/roles/sshd/README b/roles/sshd/README
index 40ee00a..570f742 100644
--- a/roles/sshd/README
+++ b/roles/sshd/README
@@ -4,3 +4,20 @@ may:
- set host key and certificate
- set user CA
- set port on which server listens
+To use, define variables below:
+- `sshd_version`---must match the current version for the role
+- `sshd_host_key` and `sshd_host_cert`---the host key and
+ corresponding certificate
+ - note that you must define both for either to work
+ - rationale: there's little point in just setting the host key, as
+ it will still force people to accept it the first time; a host
+ certificate removes that need and allows the key to change at will
+- `sshd_port`---the port where the SSH server should listen
+ - rationale: on public-facing servers, the default port gets tons of
+ login attempts by attackers trying to guess passwords
+- `ssh_user_ca_pub`---the public keys of the SSH CAs trusted to
+ certify users
+ - rationale: using a user CA removes the need to maintain, or have,
+ `authorized_keys` files