source: main/waeup-ansible/roles/openssh/tasks/main.yml @ 17736

Last change on this file since 17736 was 16987, checked in by uli, 2 years ago

Update SSH config to current infosec state.

File size: 3.2 KB
Line 
1---
2# tasks to enable secure OpenSSH server config
3# mozilla values set as from
4#   https://infosec.mozilla.org/guidelines/openssh
5- name: "sshd_config - disable weak keys"
6  lineinfile:
7    dest=/etc/ssh/sshd_config
8    backrefs=yes
9    line={{ item.line }}
10    regexp={{ item.regexp }}
11  with_items:
12    #- { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
13    #    line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
14    - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
15        line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
16    #- { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
17    #    line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
18    #- { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
19    #    line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
20  notify: "restart sshd"
21
22
23- name: "Set supported host key algorithms by order of preference"
24  ansible.builtin.blockinfile:
25      path: /etc/ssh/sshd_config
26      block: |
27          # Supported HostKey algorithms by order of preference.
28          HostKey /etc/ssh/ssh_host_ed25519_key
29          HostKey /etc/ssh/ssh_host_rsa_key
30          HostKey /etc/ssh/ssh_host_ecdsa_key
31  notify: "restart sshd"
32
33         
34- name: "sshd_config - set key bits to 4096"
35  lineinfile:
36    dest=/etc/ssh/sshd_config
37    backrefs=yes
38    line='ServerKeyBits 4096'
39    regexp='^ServerKeyBits 1024'
40    state=present
41  notify: "restart sshd"
42
43
44- name: "sshd_config - set secure ciphers from mozilla guidelines"
45  lineinfile:
46    dest=/etc/ssh/sshd_config
47    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
48    state=present
49  notify: "restart sshd"
50
51
52- name: "sshd_config - set secure MACs from mozilla guidelines and ssh-audit.py"
53  lineinfile:
54    dest=/etc/ssh/sshd_config
55    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
56    state=present
57  notify: "restart sshd"
58
59
60    # line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
61- name: "sshd_config - set secure kex algos from mozilla guidelines"
62  lineinfile:
63    dest=/etc/ssh/sshd_config
64    line='KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
65    state=present
66  notify: "restart sshd"
67
68
69- name: "sshd_config - set log level"
70  lineinfile:
71      dest: /etc/ssh/sshd_config
72      line: "LogLevel VERBOSE"
73      state: present
74  notify: "restart sshd"
75
76
77- name: "sshd_config - enable sftp logging"
78  lineinfile:
79      dest: /etc/ssh/sshd_config
80      line: "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO"
81      regexp: "^Subsystem sftp  /usr/lib/openssh/sftp-server"
82      backrefs: yes
83      state: present
84  notify: "restart sshd"
85
86
87- name: "sshd_config - use privilage separation"
88  lineinfile:
89      dest: /etc/ssh/sshd_config
90      line: "UsePrivilegeSeparation sandbox"
91      state: present
92  notify: "restart sshd"
93
94
95- name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
96  replace:
97    dest=/etc/ssh/moduli
98    regexp='^([0-9]+\s){4}([12][0-9]{3}\s)'
99  notify: "restart sshd"
Note: See TracBrowser for help on using the repository browser.