Add debian common role

common-debian/templates/etc/ssh/shosts.equiv.j2

@@ -0,0 +1,8 @@
+# SSH remote allowed hosts
+# {{ ansible_managed }}
+
+{% if hostbased_auth is defined and hostbased_auth %}
+{% for entry in hostbased_auth %}
+{{ entry }}
+{% endfor %}
+{% endif %}

common-debian/templates/etc/ssh/ssh_config.j2

@@ -0,0 +1,44 @@
+# Default SSH client configuration
+# {{ ansible_managed }}
+
+Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   EnableSSHKeysign yes	
+#   HostbasedAuthentication yes
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   Port 22
+#   Protocol 2,1
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   PreferredAuthentications hostbased,pubkey
+    SendEnv LANG LC_*
+    HashKnownHosts no
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+    PubkeyAuthentication yes
+    HostbasedAuthentication yes
+    EnableSSHKeysign yes
+    CheckHostIP no

common-debian/templates/etc/ssh/ssh_known_hosts.j2

@@ -0,0 +1,8 @@
+# SSH remote allowed hosts
+# {{ ansible_managed }}
+
+{% if hostbased_auth is defined and hostbased_auth %}
+{% for entry in hostbased_auth %}
+{{ hostvars[entry]['ansible_hostname'] }},{{ hostvars[entry]['ansible_fqdn'] }},{{ hostvars[entry]['inventory_hostname'] }} ssh-ed25519 {{ hostvars[entry]['ansible_ssh_host_key_ed25519_public'] }}
+{% endfor %}
+{% endif %}

common-debian/templates/etc/ssh/sshd_config.j2

@@ -0,0 +1,40 @@
+# Main SSH daemon configuraton
+# {{ ansible_managed }}
+
+Port 22
+ListenAddress ::
+ListenAddress 0.0.0.0
+Protocol 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 30
+UsePAM yes
+StrictModes yes
+X11Forwarding no
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+AcceptEnv LANG LC_*
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
+
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+{% if 'role_hv' in group_names %}
+HostbasedAuthentication yes
+HostbasedUsesNameFromPacketOnly yes
+IgnoreRhosts no
+PermitRootLogin yes
+{% else %}
+HostbasedAuthentication no
+IgnoreRhosts yes
+PermitRootLogin no
+{% endif %}
+
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO