adjust config to work with rocky8 as well
All checks were successful
continuous-integration/drone/pr Build is passing
All checks were successful
continuous-integration/drone/pr Build is passing
This commit is contained in:
parent
91038c314a
commit
19e845c164
GPG Key ID:
4E692A2EAECC03C0
@ -1,15 +1,16 @@
|
||||
---
|
||||
sshd_protocol: 2
|
||||
sshd_permit_root_login: 'yes'
|
||||
sshd_permit_empty_passwords: 'no'
|
||||
sshd_password_authentication: 'no'
|
||||
sshd_gssapi_authentication: 'yes'
|
||||
sshd_strict_modes: 'yes'
|
||||
sshd_permit_root_login: "yes"
|
||||
sshd_permit_empty_passwords: "no"
|
||||
sshd_password_authentication: "no"
|
||||
sshd_gssapi_authentication: "no"
|
||||
sshd_strict_modes: "yes"
|
||||
sshd_allow_groups: []
|
||||
sshd_ignore_rhosts: 'yes'
|
||||
sshd_hostbased_authentication: 'no'
|
||||
sshd_ignore_rhosts: "yes"
|
||||
sshd_hostbased_authentication: "no"
|
||||
sshd_client_alive_interval: 900
|
||||
sshd_client_alive_count_max: 0
|
||||
|
||||
sshd_ciphers:
|
||||
- chacha20-poly1305@openssh.com
|
||||
- aes256-gcm@openssh.com
|
||||
@ -17,33 +18,37 @@ sshd_ciphers:
|
||||
- aes256-ctr
|
||||
- aes192-ctr
|
||||
- aes128-ctr
|
||||
|
||||
sshd_kex:
|
||||
- curve25519-sha256@libssh.org
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
|
||||
sshd_moduli_minimum: 2048
|
||||
|
||||
sshd_macs:
|
||||
- hmac-sha2-512-etm@openssh.com
|
||||
- hmac-sha2-256-etm@openssh.com
|
||||
- hmac-ripemd160-etm@openssh.com
|
||||
- umac-128-etm@openssh.com
|
||||
- hmac-sha2-512
|
||||
- hmac-sha2-256
|
||||
- hmac-ripemd160
|
||||
sshd_allow_agent_forwarding: 'no'
|
||||
sshd_x11_forwarding: 'yes'
|
||||
sshd_allow_tcp_forwarding: 'yes'
|
||||
- umac-128@openssh.com
|
||||
|
||||
sshd_allow_agent_forwarding: "no"
|
||||
sshd_x11_forwarding: "yes"
|
||||
sshd_allow_tcp_forwarding: "yes"
|
||||
sshd_compression: delayed
|
||||
sshd_log_level: INFO
|
||||
sshd_max_auth_tries: 6
|
||||
sshd_max_sessions: 10
|
||||
sshd_tcp_keep_alive: 'yes'
|
||||
sshd_use_dns: 'yes'
|
||||
sshd_tcp_keep_alive: "yes"
|
||||
sshd_use_dns: "no"
|
||||
|
||||
sshd_disable_crypto_policy: False
|
||||
|
||||
# @var sshd_challenge_response_authentication:description: >
|
||||
# If you disable password auth you should disable
|
||||
# ChallengeResponseAuth also.
|
||||
# If you disable password auth you should disable ChallengeResponseAuth also.
|
||||
# @end
|
||||
sshd_challenge_response_authentication: 'no'
|
||||
sshd_challenge_response_authentication: "no"
|
||||
|
||||
# @var sshd_google_auth_enabled:description: >
|
||||
# Google Authenticator required ChallengeResponseAuth!
|
||||
|
||||
@ -1,4 +1,9 @@
|
||||
---
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
check_mode: False
|
||||
when: sshd_disable_crypto_policy | bool
|
||||
|
||||
- block:
|
||||
- name: Hardening sshd config
|
||||
template:
|
||||
@ -16,8 +21,9 @@
|
||||
check_mode: no
|
||||
|
||||
- name: Remove all small primes
|
||||
shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
||||
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
||||
shell:
|
||||
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
||||
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
||||
notify: __sshd_restart
|
||||
when: __sshd_register_moduli.stdout
|
||||
|
||||
@ -26,5 +32,16 @@
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop: "{{ sshd_allow_groups }}"
|
||||
|
||||
- name: Disable SSH server CRYPTO_POLICY
|
||||
copy:
|
||||
src: etc/sysconfig/sshd
|
||||
dest: /etc/sysconfig/sshd
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0640"
|
||||
when:
|
||||
- sshd_disable_crypto_policy | bool
|
||||
- ('crypto-policies' in ansible_facts.packages)
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
@ -5,18 +5,30 @@
|
||||
path: "{{ item.path }}"
|
||||
value: "{{ item.value }}"
|
||||
loop:
|
||||
- { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
|
||||
- { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" }
|
||||
- { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
|
||||
- { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" }
|
||||
- { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" }
|
||||
- { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" }
|
||||
- { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" }
|
||||
- { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" }
|
||||
- { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" }
|
||||
- { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" }
|
||||
- { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" }
|
||||
- { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" }
|
||||
- path: sshd/permitroot
|
||||
value: "{{ sshd_permit_root_login | default('') }}"
|
||||
- path: sshd/PermitEmptyPasswords
|
||||
value: "{{ sshd_permit_empty_passwords | default('') }}"
|
||||
- path: sshd/permitroot
|
||||
value: "{{ sshd_permit_root_login | default('') }}"
|
||||
- path: sshd/passwordauthentication
|
||||
value: "{{ sshd_password_authentication | default('') }}"
|
||||
- path: sshd/challengeresponse
|
||||
value: "{{ sshd_password_authentication | default('') }}"
|
||||
- path: sshd/IgnoreRhosts
|
||||
value: "{{ sshd_ignore_rhosts | default('') }}"
|
||||
- path: sshd/HostbasedAuthentication
|
||||
value: "{{ sshd_hostbased_authentication | default('') }}"
|
||||
- path: sshd/ClientAliveInterval
|
||||
value: "{{ sshd_client_alive_interval | default('') }}"
|
||||
- path: sshd/ClientAliveCountMax
|
||||
value: "{{ sshd_client_alive_count_max | default('') }}"
|
||||
- path: sshd/Ciphers
|
||||
value: "{{ sshd_ciphers | default('[]') | join(',') }}"
|
||||
- path: sshd/KexAlgorithms
|
||||
value: "{{ sshd_kex | default('[]') | join(',') }}"
|
||||
- path: sshd/MACs
|
||||
value: "{{ sshd_macs | default('[]') | join(',') }}"
|
||||
loop_control:
|
||||
label: "variable: {{ item.path }}={{ item.value }}"
|
||||
notify: __sshd_restart
|
||||
@ -30,7 +42,7 @@
|
||||
- name: Create SSH Usergroup
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
system: 'yes'
|
||||
system: "yes"
|
||||
state: present
|
||||
loop: "{{ sshd_allow_groups }}"
|
||||
become: True
|
||||
|
||||
@ -1,9 +1,8 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
# This is the sshd server system-wide configuration file.
|
||||
# See sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
||||
|
||||
@ -20,30 +19,31 @@
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
{% if ansible_distribution_major_version is version('8', '<') %}
|
||||
|
||||
# The default requires explicit activation of protocol 1
|
||||
Protocol {{ sshd_protocol }}
|
||||
{% endif %}
|
||||
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
#ServerKeyBits 1024
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
{% if not sshd_disable_crypto_policy | bool %}
|
||||
# This system is following system-wide crypto policy. The changes to
|
||||
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
|
||||
# They will be overridden by command-line options passed to the server
|
||||
# on command line.
|
||||
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||
{% else %}
|
||||
Ciphers {{ sshd_ciphers | join(',') }}
|
||||
KexAlgorithms {{ sshd_kex | join(',') }}
|
||||
MACs {{ sshd_macs | join(',') }}
|
||||
{% endif %}
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
SyslogFacility AUTHPRIV
|
||||
LogLevel {{ sshd_log_level }}
|
||||
@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }}
|
||||
MaxAuthTries {{ sshd_max_auth_tries }}
|
||||
MaxSessions {{ sshd_max_sessions }}
|
||||
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
@ -71,12 +70,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts {{ sshd_ignore_rhosts }}
|
||||
@ -116,8 +110,8 @@ GSSAPICleanupCredentials no
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
||||
# problems.
|
||||
# WARNING: 'UsePAM no' is not supported on RH based systems and may
|
||||
# cause several problems.
|
||||
UsePAM yes
|
||||
|
||||
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
|
||||
@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }}
|
||||
#PrintLastLog no
|
||||
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
||||
#UseLogin no
|
||||
{% if ansible_distribution_major_version is version('8', '<') %}
|
||||
UsePrivilegeSeparation sandbox
|
||||
{% endif %}
|
||||
#PermitUserEnvironment no
|
||||
Compression {{ sshd_compression }}
|
||||
ClientAliveInterval {{ sshd_client_alive_interval }}
|
||||
ClientAliveCountMax {{ sshd_client_alive_count_max }}
|
||||
#ShowPatchLevel no
|
||||
UseDNS {{ sshd_use_dns }}
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
|
||||
20
templates/etc/sysconfig/sshd.j2
Normal file
20
templates/etc/sysconfig/sshd.j2
Normal file
@ -0,0 +1,20 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Configuration file for the sshd service.
|
||||
|
||||
# The server keys are automatically generated if they are missing.
|
||||
# To change the automatic creation, adjust sshd.service options for
|
||||
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
||||
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
||||
# creation.
|
||||
|
||||
# Do not change this option unless you have hardware random
|
||||
# generator and you REALLY know what you are doing
|
||||
|
||||
SSH_USE_STRONG_RNG=0
|
||||
# SSH_USE_STRONG_RNG=1
|
||||
|
||||
# System-wide crypto policy:
|
||||
# To opt-out, uncomment the following line
|
||||
CRYPTO_POLICY=
|
||||
Loading…
Reference in New Issue
Block a user