Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide granular noop for ssh configuration #789

Merged
merged 2 commits into from
Oct 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions roles/ssh_hardening/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,8 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Type: bool
- Required: no
- `ssh_ciphers`
- Default: ``
- Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
- Default: undefined
- Description: Set a list of ciphers to override the one defined in `vars/main.yml`, or set it to false to skip this configuration.
- Type: list
- Required: no
- `ssh_client_alive_count`
Expand Down Expand Up @@ -244,8 +244,8 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Type: list
- Required: no
- `ssh_host_key_files`
- Default: ``
- Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version.
- Default: undefined
- Description: Host keys for sshd. If undefined ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version, and a new `ssh_host_rsa_key` may be generated according to `ssh_host_rsa_key_size`. Set it to false to skip this configuration.
- Type: list
- Required: no
- `ssh_host_rsa_key_size`
Expand All @@ -259,8 +259,8 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Type: bool
- Required: no
- `ssh_kex`
- Default: ``
- Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
- Default: undefined
- Description: Set a list of Key Exchange Algorithms to override the one defined in `vars/main.yml`, or set it to false to skip this configuration.
- Type: list
- Required: no
- `ssh_listen_to`
Expand All @@ -274,8 +274,8 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Type: str
- Required: no
- `ssh_macs`
- Default: ``
- Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
- Default: undefined
- Description: Set a list of macs to override the one defined in `vars/main.yml`, or set it to false to skip this configuration.
- Type: list
- Required: no
- `ssh_max_auth_retries`
Expand Down
6 changes: 0 additions & 6 deletions roles/ssh_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,6 @@ ssh_client_port: "22" # ssh
# Default is empty, but should be configured for security reasons!
ssh_listen_to: [0.0.0.0] # sshd

# Host keys to look for when starting sshd.
ssh_host_key_files: [] # sshd

# Host RSA key size in bits
ssh_host_rsa_key_size: 4096 # sshd

Expand Down Expand Up @@ -206,9 +203,6 @@ ssh_max_startups: 10:30:60 # sshd

ssh_ps59: sandbox

ssh_macs: []
ssh_ciphers: []
ssh_kex: []
# directory where to store ssh_password policy
ssh_custom_selinux_dir: /etc/selinux/local-policies

Expand Down
8 changes: 4 additions & 4 deletions roles/ssh_hardening/meta/argument_specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ argument_specs:
Default is all IPv4 addresses, but should be configured to specific addresses
for security reasons
ssh_host_key_files:
default: []
default: undefined
type: list
description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the
Expand Down Expand Up @@ -318,15 +318,15 @@ argument_specs:
description: Specifies the maximum number of concurrent unauthenticated connections
to the SSH daemon.
ssh_macs:
default: []
default: undefined
type: list
description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
ssh_kex:
default: []
default: undefined
type: list
description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
ssh_ciphers:
default: []
default: undefined
type: list
description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
ssh_custom_options:
Expand Down
11 changes: 7 additions & 4 deletions roles/ssh_hardening/tasks/hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,19 +39,22 @@
ansible.builtin.include_tasks: crypto_hostkeys.yml
when:
- ssh_server_hardening | bool
- not ssh_host_key_files
- ssh_host_key_files is undefined

- name: Set default for ssh_macs if not supplied
ansible.builtin.include_tasks: crypto_macs.yml
when: not ssh_macs
when:
- ssh_macs is undefined

- name: Set default for ssh_ciphers if not supplied
ansible.builtin.include_tasks: crypto_ciphers.yml
when: not ssh_ciphers
when:
- ssh_ciphers is undefined

- name: Set default for ssh_kex if not supplied
ansible.builtin.include_tasks: crypto_kex.yml
when: not ssh_kex
when:
- ssh_kex is undefined

- name: Create revoked_keys and set permissions to root/600
ansible.builtin.template:
Expand Down
26 changes: 20 additions & 6 deletions roles/ssh_hardening/templates/opensshd.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,11 @@ ListenAddress {{ address }}
{% endfor %}

# HostKeys are listed here.
{% for key in ssh_host_key_files %}
{% if ssh_host_key_files is defined and ssh_host_key_files -%}
{% for key in ssh_host_key_files %}
HostKey {{ key }}
{% endfor %}
{% endfor %}
{% endif %}

# HostCertificates are listed here.
{% for certificate in ssh_host_certificates -%}
Expand Down Expand Up @@ -73,14 +75,22 @@ LogLevel {{ sshd_log_level }}
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#
{# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined -#}
{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
{% if ssh_ciphers is defined and ssh_ciphers -%}
{{ 'Ciphers ' ~ ssh_ciphers|join(',') }}
{% else -%}
{{ 'Ciphers'|comment }}
{% endif %}

# **Hash algorithms** -- SHA-1 is formally deprecated by NIST in 2011 because of security issues.
# Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
#
{# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined -#}
{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
{% if ssh_macs is defined and ssh_macs -%}
{{ 'MACs ' ~ ssh_macs|join(',') }}
{% else -%}
{{ 'MACs'|comment }}
{% endif %}

{% if sshd_version is version('5.9', '<') %}
# Alternative setting, if OpenSSH version is below v5.9
Expand All @@ -92,8 +102,12 @@ LogLevel {{ sshd_log_level }}
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
#
{# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
{# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined and ssh_kex or '#KexAlgorithms' if ssh_kex is undefined #}
{% if ssh_kex is defined and ssh_kex -%}
{{ 'KexAlgorithms ' ~ ssh_kex|join(',') }}
{% else -%}
{{ 'KexAlgorithms'|comment }}
{% endif %}

# Authentication
# --------------
Expand Down
Loading