From 71e670602c6a181d9b6e72244b0134088750ea5f Mon Sep 17 00:00:00 2001 From: Corbin Bartsch Date: Thu, 15 Sep 2022 10:08:38 -0400 Subject: [PATCH] Default configurations match Mozilla Modern --- defaults/main.yaml | 30 ++++++++++++++++++++++++++++-- templates/sshd_config.j2 | 24 +++++++++++++++++++++--- 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/defaults/main.yaml b/defaults/main.yaml index cd7edfb..2334c61 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -7,8 +7,6 @@ ssh_address_family: any ssh_listen_addresses: - 0.0.0.0 -ssh_host_key_file: /etc/ssh/ssh_host_ed25519_key - ssh_allow_groups: ssh ssh_login_grace_time: 20 ssh_permit_root_login: 'no' @@ -20,6 +18,32 @@ ssh_pubkey_authentication: 'yes' ssh_authorized_keys_file: .ssh/authorized_keys +ssh_kexalgorithms: + # Mozilla Modern + - curve25519-sha256@libssh.org + - ecdh-sha2-nistp521 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp256 + - diffie-hellman-group-exchange-sha256 + +ssh_ciphers: + # Mozilla Modern + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr + +ssh_macs: + # Mozilla Modern + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512 + - hmac-sha2-256 + - umac-128@openssh.com + ssh_hostbased_authentication: 'no' ssh_password_authentication: 'no' ssh_permit_empty_passwords: 'no' @@ -42,3 +66,5 @@ ssh_accept_env: ssh_banner: true ssh_banner_file: /etc/issue.net + +ssh_loglevel: "VERBOSE" diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index ca7fa41..79952a5 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -6,7 +6,23 @@ AddressFamily {{ ssh_address_family }} ListenAddress {{ a }} {% endfor %} -HostKey {{ ssh_host_key_file }} +{% if ssh_hostkey_file is defined %} +HostKey {{ ssh_hostkey_file }} +{% else %} +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +{% endif %} + +{% if ssh_kexalgorithms is defined %} +KexAlgorithms {% for alg in ssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %} +{% endif %} +{% if ssh_ciphers is defined %} +Ciphers {% for alg in ssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %} +{% endif %} +{% if ssh_macs is defined %} +MACs {% for alg in ssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %} +{% endif %} AllowGroups {{ ssh_allow_groups }} LoginGraceTime {{ ssh_login_grace_time }} @@ -47,8 +63,10 @@ AcceptEnv {{ e }} PermitUserEnvironment no {% endif %} +LogLevel {{ ssh_loglevel }} + {% if ansible_facts['os_family'] == 'RedHat' %} -Subsystem sftp /usr/libexec/openssh/sftp-server +Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO {% elif ansible_facts['os_family'] == 'Debian' %} -Subsystem sftp /usr/lib/openssh/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO {% endif %}