coredotbin/ansible-role-openssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases 2 Wiki Activity

Compare commits

base: coredotbin:f7f609fde9bf0ff81abe75ba74c9959edac60c9c
Branches Tags
coredotbin:master
coredotbin:molecule
coredotbin:v2.1.0
coredotbin:v2.1
coredotbin:v2.0.1
coredotbin:v2.0
coredotbin:v1.0.0
coredotbin:v2.0.0
..
compare: coredotbin:1ba32043ced766365cc043900146b4506a16f3c5
Branches Tags
coredotbin:master
coredotbin:molecule
coredotbin:v2.1.0
coredotbin:v2.1
coredotbin:v2.0.1
coredotbin:v2.0
coredotbin:v1.0.0
coredotbin:v2.0.0

No commits in common. "f7f609fde9bf0ff81abe75ba74c9959edac60c9c" and "1ba32043ced766365cc043900146b4506a16f3c5" have entirely different histories.
f7f609fde9 ... 1ba32043ce

5 changed files with 5 additions and 121 deletions
Show Stats Expand all files Collapse all files

52
README.md
View File

@ -1,55 +1,3 @@
# ansible-role-openssh # ansible-role-openssh
Sensible and secure defaults for OpenSSH server. Sensible and secure defaults for OpenSSH server.
## Defaults
The defaults provided in this role are compliant with the [Mozilla Modern](https://infosec.mozilla.org/guidelines/openssh) for OpenSSH 6.7+
If you are running this role with older versions of OpenSSH, such as version 5.3 on RHEL or CentOS 6, you will need to override the defaults elsewhere (i.e. in your `group_vars` or `host_vars`). Below are a few Mozzila recommendations.
### Mozilla Modern
This is the default in this role.
```yaml
ssh_kexalgorithms:
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
ssh_ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_macs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- umac-128@openssh.com
```
### Mozilla Intermediate
```yaml
ssh_hostkey_file: /etc/ssh/ssh_host_rsa_key
ssh_hostkey_file: /etc/ssh/ssh_host_ecdsa_key
ssh_kexalgorithms:
- diffie-hellman-group-exchange-sha256
ssh_ciphers:
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_macs:
- hmac-sha2-512
- hmac-sha2-256
```

30
defaults/main.yaml
View File

@ -7,6 +7,8 @@ ssh_address_family: any
ssh_listen_addresses: ssh_listen_addresses:
- 0.0.0.0 - 0.0.0.0
ssh_host_key_file: /etc/ssh/ssh_host_ed25519_key
ssh_allow_groups: ssh ssh_allow_groups: ssh
ssh_login_grace_time: 20 ssh_login_grace_time: 20
ssh_permit_root_login: 'no' ssh_permit_root_login: 'no'
@ -18,32 +20,6 @@ ssh_pubkey_authentication: 'yes'
ssh_authorized_keys_file: .ssh/authorized_keys ssh_authorized_keys_file: .ssh/authorized_keys
ssh_kexalgorithms:
# Mozilla Modern
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
ssh_ciphers:
# Mozilla Modern
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_macs:
# Mozilla Modern
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- umac-128@openssh.com
ssh_hostbased_authentication: 'no' ssh_hostbased_authentication: 'no'
ssh_password_authentication: 'no' ssh_password_authentication: 'no'
ssh_permit_empty_passwords: 'no' ssh_permit_empty_passwords: 'no'
@ -66,5 +42,3 @@ ssh_accept_env:
ssh_banner: true ssh_banner: true
ssh_banner_file: /etc/issue.net ssh_banner_file: /etc/issue.net
ssh_loglevel: "VERBOSE"

2
makefile
View File

@ -1,2 +0,0 @@
test:
ansible-playbook test.yaml

27
templates/sshd_config.j2
View File

@ -6,26 +6,7 @@ AddressFamily {{ ssh_address_family }}
ListenAddress {{ a }} ListenAddress {{ a }}
{% endfor %} {% endfor %}
{% if ssh_hostkey_file is defined %} HostKey {{ ssh_host_key_file }}
HostKey {{ ssh_hostkey_file }}
{% else %}
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
{% endif %}
{% if ssh_kexalgorithms is defined %}
KexAlgorithms {% for alg in ssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
{% endif %}
{% if ssh_ciphers is defined %}
Ciphers {% for alg in ssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
{% endif %}
{% if ssh_macs is defined %}
MACs {% for alg in ssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
{% endif %}
AllowGroups {{ ssh_allow_groups }} AllowGroups {{ ssh_allow_groups }}
LoginGraceTime {{ ssh_login_grace_time }} LoginGraceTime {{ ssh_login_grace_time }}
@ -66,10 +47,8 @@ AcceptEnv {{ e }}
PermitUserEnvironment no PermitUserEnvironment no
{% endif %} {% endif %}
LogLevel {{ ssh_loglevel }}
{% if ansible_facts['os_family'] == 'RedHat' %} {% if ansible_facts['os_family'] == 'RedHat' %}
Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO Subsystem sftp /usr/libexec/openssh/sftp-server
{% elif ansible_facts['os_family'] == 'Debian' %} {% elif ansible_facts['os_family'] == 'Debian' %}
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %} {% endif %}

15
test.yaml
View File

@ -1,15 +0,0 @@
---
- hosts: 127.0.0.1
vars_files:
- defaults/main.yaml
tasks:
- name: Test Jinja2 templates
check_mode: true
diff: true
ansible.builtin.template:
src: "{{ item }}"
dest: "/tmp/{{ item }}"
with_items:
- templates/sshd_config.j2
- templates/issue.net.j2