--- - name: Adjust SSHD config ansible.builtin.lineinfile: path: /mnt/etc/ssh/sshd_config regexp: ^\s*#?{{ item.option }}\s+.*$ line: "{{ item.option }} {{ item.value }}" loop: - {option: LogLevel, value: VERBOSE} - {option: LoginGraceTime, value: "60"} - {option: PermitRootLogin, value: "no"} - {option: StrictModes, value: "yes"} - {option: MaxAuthTries, value: "4"} - {option: MaxSessions, value: "10"} - {option: MaxStartups, value: "10:30:60"} - {option: PubkeyAuthentication, value: "yes"} - {option: HostbasedAuthentication, value: "no"} - {option: IgnoreRhosts, value: "yes"} - {option: PasswordAuthentication, value: "no"} - {option: PermitEmptyPasswords, value: "no"} - {option: KerberosAuthentication, value: "no"} - {option: GSSAPIAuthentication, value: "no"} - {option: AllowAgentForwarding, value: "no"} - {option: AllowTcpForwarding, value: "no"} - {option: ChallengeResponseAuthentication, value: "no"} - {option: GatewayPorts, value: "no"} - {option: X11Forwarding, value: "no"} - {option: PermitUserEnvironment, value: "no"} - {option: ClientAliveInterval, value: "300"} - {option: ClientAliveCountMax, value: "1"} - {option: PermitTunnel, value: "no"} - {option: Banner, value: /etc/issue.net} - name: Append CIS specific configurations to sshd_config ansible.builtin.blockinfile: path: /mnt/etc/ssh/sshd_config marker: "# {mark} CIS SSH HARDENING" block: |- ## CIS Specific Protocol 2 ### Ciphers and keying ### RekeyLimit 512M 6h KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com ########################### AllowStreamLocalForwarding no PermitUserRC no AllowUsers * AllowGroups * DenyUsers nobody DenyGroups nobody