Merge pull request dev-sec#240 from bschonec/add_some_parameters

Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters

README.md

@@ -76,6 +76,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
 |`ssh_custom_options` | [] | Custom lines for SSH client configuration |
 |`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |
+|`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd |
+|`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd | 
+|`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login |
 
 ## Configuring settings not listed in role-variables
 

defaults/main.yml

@@ -230,3 +230,9 @@ ssh_custom_options: []
 
 # Custom options for SSH daemon configuration file
 sshd_custom_options: []
+
+# Logging
+sshd_syslog_facility: 'AUTH'
+sshd_log_level: 'VERBOSE'
+
+sshd_strict_modes: yes

templates/opensshd.conf.j2

@@ -42,11 +42,11 @@ HostKey {{key}}          # Req 20
 Protocol 2
 
 # Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
-StrictModes yes
+StrictModes {{ 'yes' if (sshd_strict_modes|bool) else 'no' }}
 
 # Logging, obsoletes QuietMode and FascistLogging
-SyslogFacility AUTH
-LogLevel VERBOSE
+SyslogFacility {{ sshd_syslog_facility }}
+LogLevel {{ sshd_log_level }}
 
 # Cryptography
 # ------------