Merge pull request #287 from dev-sec/chris-rock/customize-ssh-params

rndmh3ro · web-flow · commit 21bec11b0905 · 2020-06-02T08:57:30.000+02:00
allow customization of login gracetime and max sessins
diff --git a/README.md b/README.md
@@ -61,7 +61,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
 |`ssh_client_compression` | `false` | Specifies whether the client requests compression. |
 |`ssh_compression` | `false` | Specifies whether server-side compression is enabled after the user has authenticated successfully. |
+|`ssh_login_grace_time` | `30s` | specifies the time allowed for successful authentication to the SSH server | 
 |`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
+|`ssh_max_sessions` | `10` | Specifies the maximum number of open sessions permitted from a given connection. |
 |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
 |`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
 |`ssh_server_hardening` | `true` | `false` to stop harden the server |
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -34,9 +34,15 @@ ssh_host_key_files: []  # sshd
 # Specifies the host key algorithms that the server offers
 ssh_host_key_algorithms: []  # sshd
 
+# specifies the time allowed for successful authentication to the SSH server
+ssh_login_grace_time: 30s
+
 # Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 2
 
+# Specifies the maximum number of open sessions permitted from a given connection
+ssh_max_sessions: 10
+
 ssh_client_alive_interval: 300          # sshd
 ssh_client_alive_count: 3               # sshd
 
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -95,9 +95,9 @@ UseLogin no
 UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
 {% endif %}
 
-LoginGraceTime 30s
+LoginGraceTime {{ssh_login_grace_time}}
 MaxAuthTries {{ssh_max_auth_retries}}
-MaxSessions 10
+MaxSessions {{ssh_max_sessions}}
 MaxStartups {{ssh_max_startups}}
 
 # Enable public key authentication
