source: main/waeup-ansible/roles/openssh/tasks/main.yml @ 17936

Last change on this file since 17936 was 16987, checked in by uli, 2 years ago

Update SSH config to current infosec state.
File size: 3.2 KB
RevLine 
[13994]1---
2# tasks to enable secure OpenSSH server config
[16987]3# mozilla values set as from
4#   https://infosec.mozilla.org/guidelines/openssh
[13994]5- name: "sshd_config - disable weak keys"
6  lineinfile:
7    dest=/etc/ssh/sshd_config
8    backrefs=yes
9    line={{ item.line }}
10    regexp={{ item.regexp }}
11  with_items:
[16987]12    #- { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
13    #    line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
[13994]14    - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
15        line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
[16987]16    #- { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
17    #    line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
18    #- { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
19    #    line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
[13994]20  notify: "restart sshd"
21
[16987]22
23- name: "Set supported host key algorithms by order of preference"
24  ansible.builtin.blockinfile:
25      path: /etc/ssh/sshd_config
26      block: |
27          # Supported HostKey algorithms by order of preference.
28          HostKey /etc/ssh/ssh_host_ed25519_key
29          HostKey /etc/ssh/ssh_host_rsa_key
30          HostKey /etc/ssh/ssh_host_ecdsa_key
31  notify: "restart sshd"
32
33         
[13994]34- name: "sshd_config - set key bits to 4096"
35  lineinfile:
36    dest=/etc/ssh/sshd_config
37    backrefs=yes
38    line='ServerKeyBits 4096'
39    regexp='^ServerKeyBits 1024'
40    state=present
41  notify: "restart sshd"
42
[16987]43
44- name: "sshd_config - set secure ciphers from mozilla guidelines"
[13994]45  lineinfile:
46    dest=/etc/ssh/sshd_config
[16987]47    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
[13994]48    state=present
49  notify: "restart sshd"
50
[16987]51
52- name: "sshd_config - set secure MACs from mozilla guidelines and ssh-audit.py"
[13994]53  lineinfile:
54    dest=/etc/ssh/sshd_config
[16987]55    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
[13994]56    state=present
57  notify: "restart sshd"
58
[16987]59
60    # line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
61- name: "sshd_config - set secure kex algos from mozilla guidelines"
[13994]62  lineinfile:
63    dest=/etc/ssh/sshd_config
[16987]64    line='KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
[15389]65    state=present
66  notify: "restart sshd"
67
[16987]68
69- name: "sshd_config - set log level"
[15389]70  lineinfile:
[16987]71      dest: /etc/ssh/sshd_config
72      line: "LogLevel VERBOSE"
73      state: present
[15389]74  notify: "restart sshd"
75
76
[16987]77- name: "sshd_config - enable sftp logging"
[15389]78  lineinfile:
[16987]79      dest: /etc/ssh/sshd_config
80      line: "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO"
81      regexp: "^Subsystem sftp  /usr/lib/openssh/sftp-server"
82      backrefs: yes
83      state: present
[13994]84  notify: "restart sshd"
85
[16987]86
87- name: "sshd_config - use privilage separation"
[15389]88  lineinfile:
[16987]89      dest: /etc/ssh/sshd_config
90      line: "UsePrivilegeSeparation sandbox"
91      state: present
[15389]92  notify: "restart sshd"
93
[16987]94
[13994]95- name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
96  replace:
97    dest=/etc/ssh/moduli
[16987]98    regexp='^([0-9]+\s){4}([12][0-9]{3}\s)'
[13994]99  notify: "restart sshd"
Note: See TracBrowser for help on using the repository browser.