Merge pull request dev-sec#149 from aeschbacher/master

new parameter: ssh_max_startups
divialth · Jan 25, 2018 · 7d53eea · 7d53eea
2 parents 063afd1 + e8be181
commit 7d53eea
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -65,6 +65,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
+|`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
 
 ## Example Playbook
 

diff --git a/default_custom.yml b/default_custom.yml
@@ -60,3 +60,4 @@
         options: ['StrictHostKeyChecking no']
     ssh_use_dns: true
     ssh_use_pam: true
+    ssh_max_startups: '10:30:60'
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -123,6 +123,8 @@ ssh_server_match_group: false           # sshd
 
 ssh_server_permit_environment_vars: false
 
+# maximum number of concurrent unauthenticated connections to the SSH daemon
+ssh_max_startups: '10:30:100'           # sshd
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -80,7 +80,7 @@ UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distr
 LoginGraceTime 30s
 MaxAuthTries {{ssh_max_auth_retries}}
 MaxSessions 10
-MaxStartups 10:30:100
+MaxStartups {{ssh_max_startups}}
 
 # Enable public key authentication
 PubkeyAuthentication yes