Merge pull request #31 from hardening-io/max_auth_tries

chris-rock · chris-rock · commit 950210348f89 · 2015-08-06T23:39:14.000-07:00
Make MaxAuthTries configurable
diff --git a/roles/ansible-ssh-hardening/defaults/main.yml b/roles/ansible-ssh-hardening/defaults/main.yml
@@ -29,6 +29,9 @@ ssh_listen_to: ['0.0.0.0']    # sshd
 # Host keys to look for when starting sshd.
 ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']        # sshd
 
+# Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
+ssh_max_auth_retries: 2
+
 ssh_client_alive_interval: 600          # sshd
 ssh_client_alive_count: 3               # sshd
 # one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!
diff --git a/roles/ansible-ssh-hardening/templates/opensshd.conf.j2 b/roles/ansible-ssh-hardening/templates/opensshd.conf.j2
@@ -121,7 +121,7 @@ UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distr
 
 PermitUserEnvironment no
 LoginGraceTime 30s
-MaxAuthTries 2
+MaxAuthTries {{ssh_max_auth_retries}}
 MaxSessions 10
 MaxStartups 10:30:100
 
