Changeset 13850 for main/waeup-ansible


Ignore:
Timestamp:
25 Apr 2016, 21:25:32 (9 years ago)
Author:
uli
Message:

Add missing sshd_config pieces.

We set required SSH ciphers/MACs/key algos according to "Applied
Crypto Hardening" from bettercrypto.org, state 2016-04-21.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • main/waeup-ansible/bootstrap.yml

    r13849 r13850  
    4444        state=present
    4545
    46     - name: "bootstrap | disable dsa keys in sshd_config"
     46    - name: "bootstrap | sshd_config - disable dsa keys"
    4747      lineinfile:
    4848        dest=/etc/ssh/sshd_config
     
    5353      notify: "restart sshd"
    5454
    55     - name: "bootstrap | disable ecdsa keys in sshd_config"
     55    - name: "bootstrap | sshd_config - disable ecdsa keys"
    5656      lineinfile:
    5757        dest=/etc/ssh/sshd_config
     
    6262      notify: "restart sshd"
    6363
    64     - name: "bootstrap | set key bits in sshd_config to 4096"
     64    - name: "bootstrap | sshd_config - set key bits to 4096"
    6565      lineinfile:
    6666        dest=/etc/ssh/sshd_config
     
    7171      notify: "restart sshd"
    7272
     73    - name: "bootstrap | sshd_config - set secure ciphers from bettercrypto.org"
     74      lineinfile:
     75        dest=/etc/ssh/sshd_config
     76        line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
     77        state=present
     78      notify: "restart sshd"
     79
     80    - name: "bootstrap | sshd_config - set secure MACs from bettercrypto.org"
     81      lineinfile:
     82        dest=/etc/ssh/sshd_config
     83        line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
     84        state=present
     85      notify: "restart sshd"
     86
     87    - name: "bootstrap | sshd_config - set secure kex algos from bettercrypto.org"
     88      lineinfile:
     89        dest=/etc/ssh/sshd_config
     90        line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
     91        state=present
     92      notify: "restart sshd"
     93
    7394    - name: "bootstrap | remove short moduli (<2048 bits) from /etc/ssh/moduli"
    7495      replace:
Note: See TracChangeset for help on using the changeset viewer.