From 19e845c16493bd98659dcd34ab20c61e6e8862c5 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Thu, 21 Oct 2021 22:45:39 +0200
Subject: [PATCH] adjust config to work with rocky8 as well

---
 defaults/main.yml                | 39 ++++++++++++++++++--------------
 tasks/ssh_default.yml            | 21 +++++++++++++++--
 tasks/ssh_univention.yml         | 38 ++++++++++++++++++++-----------
 templates/etc/ssh/sshd_config.j2 | 39 ++++++++++++++------------------
 templates/etc/sysconfig/sshd.j2  | 20 ++++++++++++++++
 5 files changed, 103 insertions(+), 54 deletions(-)
 create mode 100644 templates/etc/sysconfig/sshd.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 198f20f..869c58c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,15 +1,16 @@
 ---
 sshd_protocol: 2
-sshd_permit_root_login: 'yes'
-sshd_permit_empty_passwords: 'no'
-sshd_password_authentication: 'no'
-sshd_gssapi_authentication: 'yes'
-sshd_strict_modes: 'yes'
+sshd_permit_root_login: "yes"
+sshd_permit_empty_passwords: "no"
+sshd_password_authentication: "no"
+sshd_gssapi_authentication: "no"
+sshd_strict_modes: "yes"
 sshd_allow_groups: []
-sshd_ignore_rhosts: 'yes'
-sshd_hostbased_authentication: 'no'
+sshd_ignore_rhosts: "yes"
+sshd_hostbased_authentication: "no"
 sshd_client_alive_interval: 900
 sshd_client_alive_count_max: 0
+
 sshd_ciphers:
   - chacha20-poly1305@openssh.com
   - aes256-gcm@openssh.com
@@ -17,33 +18,37 @@ sshd_ciphers:
   - aes256-ctr
   - aes192-ctr
   - aes128-ctr
+
 sshd_kex:
   - curve25519-sha256@libssh.org
   - diffie-hellman-group-exchange-sha256
+
 sshd_moduli_minimum: 2048
+
 sshd_macs:
   - hmac-sha2-512-etm@openssh.com
   - hmac-sha2-256-etm@openssh.com
-  - hmac-ripemd160-etm@openssh.com
   - umac-128-etm@openssh.com
   - hmac-sha2-512
   - hmac-sha2-256
-  - hmac-ripemd160
-sshd_allow_agent_forwarding: 'no'
-sshd_x11_forwarding: 'yes'
-sshd_allow_tcp_forwarding: 'yes'
+  - umac-128@openssh.com
+
+sshd_allow_agent_forwarding: "no"
+sshd_x11_forwarding: "yes"
+sshd_allow_tcp_forwarding: "yes"
 sshd_compression: delayed
 sshd_log_level: INFO
 sshd_max_auth_tries: 6
 sshd_max_sessions: 10
-sshd_tcp_keep_alive: 'yes'
-sshd_use_dns: 'yes'
+sshd_tcp_keep_alive: "yes"
+sshd_use_dns: "no"
+
+sshd_disable_crypto_policy: False
 
 # @var sshd_challenge_response_authentication:description: >
-# If you disable password auth you should disable
-# ChallengeResponseAuth also.
+# If you disable password auth you should disable ChallengeResponseAuth also.
 # @end
-sshd_challenge_response_authentication: 'no'
+sshd_challenge_response_authentication: "no"
 
 # @var sshd_google_auth_enabled:description: >
 # Google Authenticator required ChallengeResponseAuth!
diff --git a/tasks/ssh_default.yml b/tasks/ssh_default.yml
index 8265a2a..a900068 100644
--- a/tasks/ssh_default.yml
+++ b/tasks/ssh_default.yml
@@ -1,4 +1,9 @@
 ---
+- name: Gather package facts
+  package_facts:
+  check_mode: False
+  when: sshd_disable_crypto_policy | bool
+
 - block:
     - name: Hardening sshd config
       template:
@@ -16,8 +21,9 @@
       check_mode: no
 
     - name: Remove all small primes
-      shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
-            [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+      shell:
+        awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+        [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
       notify: __sshd_restart
       when: __sshd_register_moduli.stdout
 
@@ -26,5 +32,16 @@
         name: "{{ item }}"
         state: present
       loop: "{{ sshd_allow_groups }}"
+
+    - name: Disable SSH server CRYPTO_POLICY
+      copy:
+        src: etc/sysconfig/sshd
+        dest: /etc/sysconfig/sshd
+        owner: "root"
+        group: "root"
+        mode: "0640"
+      when:
+        - sshd_disable_crypto_policy | bool
+        - ('crypto-policies' in ansible_facts.packages)
   become: True
   become_user: root
diff --git a/tasks/ssh_univention.yml b/tasks/ssh_univention.yml
index 7291dd2..a07d12f 100644
--- a/tasks/ssh_univention.yml
+++ b/tasks/ssh_univention.yml
@@ -5,18 +5,30 @@
         path: "{{ item.path }}"
         value: "{{ item.value }}"
       loop:
-        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
-        - { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" }
-        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
-        - { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" }
-        - { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" }
-        - { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" }
-        - { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" }
-        - { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" }
-        - { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" }
-        - { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" }
-        - { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" }
-        - { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" }
+        - path: sshd/permitroot
+          value: "{{ sshd_permit_root_login | default('') }}"
+        - path: sshd/PermitEmptyPasswords
+          value: "{{ sshd_permit_empty_passwords | default('') }}"
+        - path: sshd/permitroot
+          value: "{{ sshd_permit_root_login | default('') }}"
+        - path: sshd/passwordauthentication
+          value: "{{ sshd_password_authentication | default('') }}"
+        - path: sshd/challengeresponse
+          value: "{{ sshd_password_authentication | default('') }}"
+        - path: sshd/IgnoreRhosts
+          value: "{{ sshd_ignore_rhosts | default('') }}"
+        - path: sshd/HostbasedAuthentication
+          value: "{{ sshd_hostbased_authentication | default('') }}"
+        - path: sshd/ClientAliveInterval
+          value: "{{ sshd_client_alive_interval | default('') }}"
+        - path: sshd/ClientAliveCountMax
+          value: "{{ sshd_client_alive_count_max | default('') }}"
+        - path: sshd/Ciphers
+          value: "{{ sshd_ciphers | default('[]') | join(',') }}"
+        - path: sshd/KexAlgorithms
+          value: "{{ sshd_kex | default('[]') | join(',') }}"
+        - path: sshd/MACs
+          value: "{{ sshd_macs | default('[]') | join(',') }}"
       loop_control:
         label: "variable: {{ item.path }}={{ item.value }}"
       notify: __sshd_restart
@@ -30,7 +42,7 @@
     - name: Create SSH Usergroup
       group:
         name: "{{ item }}"
-        system: 'yes'
+        system: "yes"
         state: present
       loop: "{{ sshd_allow_groups }}"
   become: True
diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2
index a6b8858..fdd9026 100644
--- a/templates/etc/ssh/sshd_config.j2
+++ b/templates/etc/ssh/sshd_config.j2
@@ -1,9 +1,8 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
-#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
 
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
+# This is the sshd server system-wide configuration file.
+# See sshd_config(5) for more information.
 
 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
 
@@ -20,30 +19,31 @@
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
+{% if ansible_distribution_major_version is version('8', '<') %}
 
-# The default requires explicit activation of protocol 1
 Protocol {{ sshd_protocol }}
+{% endif %}
 
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
+
+{% if not sshd_disable_crypto_policy | bool %}
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect here.
+# They will be overridden by command-line options passed to the server
+# on command line.
+# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
+{% else %}
 Ciphers {{ sshd_ciphers | join(',') }}
 KexAlgorithms {{ sshd_kex | join(',') }}
 MACs {{ sshd_macs | join(',') }}
+{% endif %}
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
 LogLevel {{ sshd_log_level }}
@@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }}
 MaxAuthTries {{ sshd_max_auth_tries }}
 MaxSessions {{ sshd_max_sessions }}
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -71,12 +70,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 HostbasedAuthentication {{ sshd_hostbased_authentication }}
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts {{ sshd_ignore_rhosts }}
@@ -116,8 +110,8 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
-# problems.
+# WARNING: 'UsePAM no' is not supported on RH based systems and may
+# cause several problems.
 UsePAM yes
 
 AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
@@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }}
 #PrintLastLog no
 TCPKeepAlive {{ sshd_tcp_keep_alive }}
 #UseLogin no
+{% if ansible_distribution_major_version is version('8', '<') %}
 UsePrivilegeSeparation sandbox
+{% endif %}
 #PermitUserEnvironment no
 Compression {{ sshd_compression }}
 ClientAliveInterval {{ sshd_client_alive_interval }}
 ClientAliveCountMax {{ sshd_client_alive_count_max }}
-#ShowPatchLevel no
 UseDNS {{ sshd_use_dns }}
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
diff --git a/templates/etc/sysconfig/sshd.j2 b/templates/etc/sysconfig/sshd.j2
new file mode 100644
index 0000000..a32ac3a
--- /dev/null
+++ b/templates/etc/sysconfig/sshd.j2
@@ -0,0 +1,20 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+
+# Configuration file for the sshd service.
+
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation, adjust sshd.service options for
+# example using  systemctl enable sshd-keygen@dsa.service  to allow creation
+# of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
+# creation.
+
+# Do not change this option unless you have hardware random
+# generator and you REALLY know what you are doing
+
+SSH_USE_STRONG_RNG=0
+# SSH_USE_STRONG_RNG=1
+
+# System-wide crypto policy:
+# To opt-out, uncomment the following line
+CRYPTO_POLICY=