diff options
author | Lars Wirzenius <liw@liw.fi> | 2022-08-02 09:34:24 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2022-08-02 09:34:24 +0300 |
commit | 025f29b350eae4e13ef30c1513c3705ab56b09fa (patch) | |
tree | 7a368dd94535b4dcc1040e15c79a13a0b639aefa /roles | |
parent | 66e7ecebce239a3c59696786fb776f5d729831b1 (diff) | |
download | debian-ansible-025f29b350eae4e13ef30c1513c3705ab56b09fa.tar.gz |
docs: document the `sshd` role variables
Sponsored-by: author
Diffstat (limited to 'roles')
-rw-r--r-- | roles/sshd/README | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/roles/sshd/README b/roles/sshd/README index 40ee00a..570f742 100644 --- a/roles/sshd/README +++ b/roles/sshd/README @@ -4,3 +4,20 @@ may: - set host key and certificate - set user CA - set port on which server listens + +To use, define variables below: + +- `sshd_version`---must match the current version for the role +- `sshd_host_key` and `sshd_host_cert`---the host key and + corresponding certificate + - note that you must define both for either to work + - rationale: there's little point in just setting the host key, as + it will still force people to accept it the first time; a host + certificate removes that need and allows the key to change at will +- `sshd_port`---the port where the SSH server should listen + - rationale: on public-facing servers, the default port gets tons of + login attempts by attackers trying to guess passwords +- `ssh_user_ca_pub`---the public keys of the SSH CAs trusted to + certify users + - rationale: using a user CA removes the need to maintain, or have, + `authorized_keys` files |