- Timestamp:
- 5 Jul 2022, 13:25:33 (3 years ago)
- Location:
- main/waeup-ansible
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup-ansible/bootstrap.yml
r15915 r16987 17 17 # Allow admin users below to become root w/o entering password? 18 18 permit_become_root_no_password: true 19 create_admin_user: false 19 20 # create hashed passwords like this: 20 21 # $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw 21 admin_users: 22 uli: 23 hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0" 22 admin_users: {} 23 24 # uli: 25 # hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0" 24 26 25 27 roles: … … 35 37 tasks: 36 38 - name: Create admin users 39 when: create_admin_users 37 40 user: 38 41 name: "{{ item.key }}" … … 54 57 notify: "restart sshd" 55 58 when: not permit_ssh_root 59 60 - name: Disable SSH root access 61 # make sure this is not run before you can log in otherwise! 62 lineinfile: 63 dest=/etc/ssh/sshd_config 64 line="AuthenticationMethods publickey" 65 state=present 66 notify: "restart sshd" 67 when: not permit_ssh_root -
main/waeup-ansible/roles/openssh/tasks/main.yml
r15389 r16987 1 1 --- 2 2 # tasks to enable secure OpenSSH server config 3 # mozilla values set as from 4 # https://infosec.mozilla.org/guidelines/openssh 3 5 - name: "sshd_config - disable weak keys" 4 6 lineinfile: … … 8 10 regexp={{ item.regexp }} 9 11 with_items: 10 - { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',11 line: 'HostKey /etc/ssh/ssh_host_rsa_key' }12 #- { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key', 13 # line: 'HostKey /etc/ssh/ssh_host_rsa_key' } 12 14 - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key', 13 15 line: '# HostKey /etc/ssh/ssh_host_dsa_key' } 14 - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',15 line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }16 - { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',17 line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }16 #- { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key', 17 # line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' } 18 #- { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key', 19 # line: 'HostKey /etc/ssh/ssh_host_ed25519_key' } 18 20 notify: "restart sshd" 19 21 22 23 - name: "Set supported host key algorithms by order of preference" 24 ansible.builtin.blockinfile: 25 path: /etc/ssh/sshd_config 26 block: | 27 # Supported HostKey algorithms by order of preference. 28 HostKey /etc/ssh/ssh_host_ed25519_key 29 HostKey /etc/ssh/ssh_host_rsa_key 30 HostKey /etc/ssh/ssh_host_ecdsa_key 31 notify: "restart sshd" 32 33 20 34 - name: "sshd_config - set key bits to 4096" 21 35 lineinfile: … … 27 41 notify: "restart sshd" 28 42 29 - name: "sshd_config - set secure ciphers from bettercrypto.org (Ubuntu)"30 when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')31 32 lineinfile:33 dest=/etc/ssh/sshd_config34 line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'35 state=present36 notify: "restart sshd"37 43 38 - name: "sshd_config - set secure ciphers from bettercrypto.org (Debian)" 39 when: ansible_distribution == 'Debian' 40 44 - name: "sshd_config - set secure ciphers from mozilla guidelines" 41 45 lineinfile: 42 46 dest=/etc/ssh/sshd_config … … 45 49 notify: "restart sshd" 46 50 47 - name: "sshd_config - set secure MACs from bettercrypto.orgi (Ubuntu)" 48 when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=') 51 52 - name: "sshd_config - set secure MACs from mozilla guidelines and ssh-audit.py" 49 53 lineinfile: 50 54 dest=/etc/ssh/sshd_config 51 line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' 52 state=present 53 notify: "restart sshd" 54 55 - name: "sshd_config - set secure MACs from bettercrypto.org and ssh-audit.py (Debian)" 56 when: ansible_distribution == 'Debian' 57 lineinfile: 58 dest=/etc/ssh/sshd_config 59 line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com' 55 line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' 60 56 state=present 61 57 notify: "restart sshd" 62 58 63 59 64 - name: "sshd_config - set secure kex algos from bettercrypto.org (Ubuntu)" 65 when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=') 60 # line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512' 61 - name: "sshd_config - set secure kex algos from mozilla guidelines" 66 62 lineinfile: 67 63 dest=/etc/ssh/sshd_config 68 line='KexAlgorithms curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'64 line='KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' 69 65 state=present 70 66 notify: "restart sshd" 71 67 72 - name: "sshd_config - set secure kex algos from bettercrypto.org (Debian)" 73 when: ansible_distribution == 'Debian' 68 69 - name: "sshd_config - set log level" 74 70 lineinfile: 75 dest=/etc/ssh/sshd_config76 line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'77 state=present71 dest: /etc/ssh/sshd_config 72 line: "LogLevel VERBOSE" 73 state: present 78 74 notify: "restart sshd" 75 76 77 - name: "sshd_config - enable sftp logging" 78 lineinfile: 79 dest: /etc/ssh/sshd_config 80 line: "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO" 81 regexp: "^Subsystem sftp /usr/lib/openssh/sftp-server" 82 backrefs: yes 83 state: present 84 notify: "restart sshd" 85 86 87 - name: "sshd_config - use privilage separation" 88 lineinfile: 89 dest: /etc/ssh/sshd_config 90 line: "UsePrivilegeSeparation sandbox" 91 state: present 92 notify: "restart sshd" 93 79 94 80 95 - name: "remove short moduli (<2048 bits) from /etc/ssh/moduli" 81 96 replace: 82 97 dest=/etc/ssh/moduli 83 regexp='^([0-9]+\s){4}( 1[0-9]{3}\s)'98 regexp='^([0-9]+\s){4}([12][0-9]{3}\s)' 84 99 notify: "restart sshd"
Note: See TracChangeset for help on using the changeset viewer.