source: main/waeup-ansible/roles/openssh/tasks/main.yml @ 16341

Last change on this file since 16341 was 15389, checked in by uli, 6 years ago

Start vhost 6 after reboots.

File size: 3.2 KB
Line 
1---
2# tasks to enable secure OpenSSH server config
3- name: "sshd_config - disable weak keys"
4  lineinfile:
5    dest=/etc/ssh/sshd_config
6    backrefs=yes
7    line={{ item.line }}
8    regexp={{ item.regexp }}
9  with_items:
10    - { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
11        line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
12    - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
13        line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
14    - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
15        line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
16    - { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
17        line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
18  notify: "restart sshd"
19
20- name: "sshd_config - set key bits to 4096"
21  lineinfile:
22    dest=/etc/ssh/sshd_config
23    backrefs=yes
24    line='ServerKeyBits 4096'
25    regexp='^ServerKeyBits 1024'
26    state=present
27  notify: "restart sshd"
28
29- name: "sshd_config - set secure ciphers from bettercrypto.org (Ubuntu)"
30  when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
31       
32  lineinfile:
33    dest=/etc/ssh/sshd_config
34    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
35    state=present
36  notify: "restart sshd"
37
38- name: "sshd_config - set secure ciphers from bettercrypto.org (Debian)"
39  when: ansible_distribution == 'Debian'
40       
41  lineinfile:
42    dest=/etc/ssh/sshd_config
43    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
44    state=present
45  notify: "restart sshd"
46
47- name: "sshd_config - set secure MACs from bettercrypto.orgi (Ubuntu)"
48  when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
49  lineinfile:
50    dest=/etc/ssh/sshd_config
51    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
52    state=present
53  notify: "restart sshd"
54
55- name: "sshd_config - set secure MACs from bettercrypto.org and ssh-audit.py (Debian)"
56  when: ansible_distribution == 'Debian'
57  lineinfile:
58    dest=/etc/ssh/sshd_config
59    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
60    state=present
61  notify: "restart sshd"
62
63
64- name: "sshd_config - set secure kex algos from bettercrypto.org (Ubuntu)"
65  when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
66  lineinfile:
67    dest=/etc/ssh/sshd_config
68    line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
69    state=present
70  notify: "restart sshd"
71
72- name: "sshd_config - set secure kex algos from bettercrypto.org (Debian)"
73  when: ansible_distribution == 'Debian'
74  lineinfile:
75    dest=/etc/ssh/sshd_config
76    line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
77    state=present
78  notify: "restart sshd"
79
80- name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
81  replace:
82    dest=/etc/ssh/moduli
83    regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
84  notify: "restart sshd"
Note: See TracBrowser for help on using the repository browser.