Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace default 2048 bits RSA keypair fails on Ubuntu 20.04 #459

Closed
rscott1010101 opened this issue Jul 6, 2021 · 7 comments · Fixed by #561
Closed

Replace default 2048 bits RSA keypair fails on Ubuntu 20.04 #459

rscott1010101 opened this issue Jul 6, 2021 · 7 comments · Fixed by #561
Labels

Comments

@rscott1010101
Copy link

Describe the bug
Fresh install of Ubuntu 20.04, simple playbook to apply ssh_hardening fails to regenerate the host key.

Actual behavior


TASK [devsec.hardening.ssh_hardening : Parse openssh-version] *******************************************************************************************************************************************************************************
ok: [10.8.10.230]

TASK [devsec.hardening.ssh_hardening : Set default for ssh_host_key_files if not supplied] **************************************************************************************************************************************************
included: /home/ansible/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/crypto_hostkeys.yml for 10.8.10.230

TASK [devsec.hardening.ssh_hardening : Replace default 2048 bits RSA keypair] ***************************************************************************************************************************************************************
fatal: [10.8.10.230]: FAILED! => {"changed": false, "msg": "Unable to read the key. The key is protected with a passphrase or broken. Will not proceed. To force regeneration, call the module with `generate` set to `full_idempotence` or `always`, or with `force=yes`."}


Example Playbook

- hosts: 10.8.10.230
  collections:
  - devsec.hardening
  roles:
  - ssh_hardening
  vars:
    ssh_permit_tunnel: true
    ssh_allow_tcp_forwarding: 'all'
    ssh_print_last_log: true
    sftp_chroot: false
    ssh_server_password_login: true
    sshd_authenticationmethods: 'publickey,password'

OS / Environment

Ubuntu 20.04 running on AWS.

Ansible Version

ansible 2.10.11
  config file = /opt/playbooks/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Jun  2 2021, 10:49:15) [GCC 9.4.0]

Role Version

7.7.0
@rndmh3ro rndmh3ro added the bug label Jul 7, 2021
@rndmh3ro
Copy link
Member

rndmh3ro commented Jul 7, 2021

Interesting, this does not happen in our CI.
Can you share the AMI you experienced the problem with?

@rscott1010101
Copy link
Author

Ami name is ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210430 .
It's the default Ubuntu 20.04 image listed in Quick Start when creating a new instance.

@skipperTux
Copy link

skipperTux commented Jul 12, 2021

Same issue on a bare metal Debian 10 machine, but only if the playbook runs as non-root (with become password). Looking into roles/ssh_hardening/tasks/crypto_hostkeys.yml the task Replace default 2048 bits RSA keypair is not running with become: true. However regenerating keys and writing into /etc/ssh needs root privileges.
It looks like we either need to run this role on a root connection with ansible_user: 'root' (and no idempotency, if the role disables ssh root login), or the role needs to be imported with become, see below.

- name: SSH hardening
  ansible.builtin.import_role:
    name: devsec.hardening.ssh_hardening
  become: true

(Though this gives [WARNING]: sftp transfer mechanism failed on [server]. Use ANSIBLE_DEBUG=1 to see detailed information on second run.)

What is the recommended approach?

Edit: Warning could be fixed by setting sftp_enabled: true.

@bedrin
Copy link

bedrin commented Oct 25, 2021

Same error on Ubuntu 21.10 Server Minimized

@chris-beckman
Copy link

Same error on Amazon Linux AMI 2018.03.

@HeikoG67
Copy link

I had same error on Ubuntu 22.04 but could solve it by runing playbook as sudo.
ansible-playbook ansible/playbooks/ssh_hardening.yml -u xxxxx -b -K

@schurzi
Copy link
Contributor

schurzi commented Aug 14, 2022

This role needs to run with root privileges, since we are changing a lot of system files. In the past we relied on our users adding become: true to the playbooks.
I have checked if it makes sense to add the become: true to all tasks, that require root privileges, but that would apply to nearly every task and it would be very redundant. However, I discovered a solution, to add become: true in our role in a single place and have everything run with an unprivileged user. The PR #561 is currently in review and, once merged, will be part of the next released version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants