Changeset 16987 for main


Ignore:
Timestamp:
5 Jul 2022, 13:25:33 (3 years ago)
Author:
uli
Message:

Update SSH config to current infosec state.

Location:
main/waeup-ansible
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • main/waeup-ansible/bootstrap.yml

    r15915 r16987  
    1717    # Allow admin users below to become root w/o entering password?
    1818    permit_become_root_no_password: true
     19    create_admin_user: false
    1920    # create hashed passwords like this:
    2021    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
    21     admin_users:
    22         uli:
    23             hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0"
     22    admin_users: {}
     23
     24        #    uli:
     25        #         hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0"
    2426
    2527  roles:
     
    3537  tasks:
    3638  - name: Create admin users
     39    when: create_admin_users
    3740    user:
    3841      name: "{{ item.key }}"
     
    5457    notify: "restart sshd"
    5558    when: not permit_ssh_root
     59
     60  - name: Disable SSH root access
     61    # make sure this is not run before you can log in otherwise!
     62    lineinfile:
     63      dest=/etc/ssh/sshd_config
     64      line="AuthenticationMethods publickey"
     65      state=present
     66    notify: "restart sshd"
     67    when: not permit_ssh_root
  • main/waeup-ansible/roles/openssh/tasks/main.yml

    r15389 r16987  
    11---
    22# tasks to enable secure OpenSSH server config
     3# mozilla values set as from
     4#   https://infosec.mozilla.org/guidelines/openssh
    35- name: "sshd_config - disable weak keys"
    46  lineinfile:
     
    810    regexp={{ item.regexp }}
    911  with_items:
    10     - { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
    11         line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
     12    #- { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
     13    #    line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
    1214    - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
    1315        line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
    14     - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
    15         line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
    16     - { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
    17         line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
     16    #- { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
     17    #    line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
     18    #- { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
     19    #    line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
    1820  notify: "restart sshd"
    1921
     22
     23- name: "Set supported host key algorithms by order of preference"
     24  ansible.builtin.blockinfile:
     25      path: /etc/ssh/sshd_config
     26      block: |
     27          # Supported HostKey algorithms by order of preference.
     28          HostKey /etc/ssh/ssh_host_ed25519_key
     29          HostKey /etc/ssh/ssh_host_rsa_key
     30          HostKey /etc/ssh/ssh_host_ecdsa_key
     31  notify: "restart sshd"
     32
     33         
    2034- name: "sshd_config - set key bits to 4096"
    2135  lineinfile:
     
    2741  notify: "restart sshd"
    2842
    29 - name: "sshd_config - set secure ciphers from bettercrypto.org (Ubuntu)"
    30   when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
    31        
    32   lineinfile:
    33     dest=/etc/ssh/sshd_config
    34     line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
    35     state=present
    36   notify: "restart sshd"
    3743
    38 - name: "sshd_config - set secure ciphers from bettercrypto.org (Debian)"
    39   when: ansible_distribution == 'Debian'
    40        
     44- name: "sshd_config - set secure ciphers from mozilla guidelines"
    4145  lineinfile:
    4246    dest=/etc/ssh/sshd_config
     
    4549  notify: "restart sshd"
    4650
    47 - name: "sshd_config - set secure MACs from bettercrypto.orgi (Ubuntu)"
    48   when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
     51
     52- name: "sshd_config - set secure MACs from mozilla guidelines and ssh-audit.py"
    4953  lineinfile:
    5054    dest=/etc/ssh/sshd_config
    51     line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
    52     state=present
    53   notify: "restart sshd"
    54 
    55 - name: "sshd_config - set secure MACs from bettercrypto.org and ssh-audit.py (Debian)"
    56   when: ansible_distribution == 'Debian'
    57   lineinfile:
    58     dest=/etc/ssh/sshd_config
    59     line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
     55    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
    6056    state=present
    6157  notify: "restart sshd"
    6258
    6359
    64 - name: "sshd_config - set secure kex algos from bettercrypto.org (Ubuntu)"
    65   when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
     60    # line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
     61- name: "sshd_config - set secure kex algos from mozilla guidelines"
    6662  lineinfile:
    6763    dest=/etc/ssh/sshd_config
    68     line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
     64    line='KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
    6965    state=present
    7066  notify: "restart sshd"
    7167
    72 - name: "sshd_config - set secure kex algos from bettercrypto.org (Debian)"
    73   when: ansible_distribution == 'Debian'
     68
     69- name: "sshd_config - set log level"
    7470  lineinfile:
    75     dest=/etc/ssh/sshd_config
    76     line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
    77     state=present
     71      dest: /etc/ssh/sshd_config
     72      line: "LogLevel VERBOSE"
     73      state: present
    7874  notify: "restart sshd"
     75
     76
     77- name: "sshd_config - enable sftp logging"
     78  lineinfile:
     79      dest: /etc/ssh/sshd_config
     80      line: "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO"
     81      regexp: "^Subsystem sftp  /usr/lib/openssh/sftp-server"
     82      backrefs: yes
     83      state: present
     84  notify: "restart sshd"
     85
     86
     87- name: "sshd_config - use privilage separation"
     88  lineinfile:
     89      dest: /etc/ssh/sshd_config
     90      line: "UsePrivilegeSeparation sandbox"
     91      state: present
     92  notify: "restart sshd"
     93
    7994
    8095- name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
    8196  replace:
    8297    dest=/etc/ssh/moduli
    83     regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
     98    regexp='^([0-9]+\s){4}([12][0-9]{3}\s)'
    8499  notify: "restart sshd"
Note: See TracChangeset for help on using the changeset viewer.