Changeset 16987 for main/waeup-ansible/roles/openssh/tasks

Timestamp:

5 Jul 2022, 13:25:33 (2 years ago)

Author:

uli

Message:

Update SSH config to current infosec state.

File:

• main/waeup-ansible/roles/openssh/tasks/main.yml (modified) (4 diffs)

main/waeup-ansible/roles/openssh/tasks/main.yml

@@ -1 +1 @@
 ---
 # tasks to enable secure OpenSSH server config
+# mozilla values set as from
+#   https://infosec.mozilla.org/guidelines/openssh
 - name: "sshd_config - disable weak keys"
   lineinfile:
@@ -8 +10 @@
     regexp={{ item.regexp }}
   with_items:
-    - { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
-        line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
+    #- { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
+    #    line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
     - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
         line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
-    - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
-        line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
-    - { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
-        line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
+    #- { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
+    #    line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
+    #- { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
+    #    line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
   notify: "restart sshd"
 
+
+- name: "Set supported host key algorithms by order of preference"
+  ansible.builtin.blockinfile:
+      path: /etc/ssh/sshd_config
+      block: |
+          # Supported HostKey algorithms by order of preference.
+          HostKey /etc/ssh/ssh_host_ed25519_key
+          HostKey /etc/ssh/ssh_host_rsa_key
+          HostKey /etc/ssh/ssh_host_ecdsa_key
+  notify: "restart sshd"
+
+          
 - name: "sshd_config - set key bits to 4096"
   lineinfile:
@@ -27 +41 @@
   notify: "restart sshd"
 
-- name: "sshd_config - set secure ciphers from bettercrypto.org (Ubuntu)"
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
-        
-  lineinfile:
-    dest=/etc/ssh/sshd_config
-    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
-    state=present
-  notify: "restart sshd"
 
-- name: "sshd_config - set secure ciphers from bettercrypto.org (Debian)"
-  when: ansible_distribution == 'Debian'
-        
+- name: "sshd_config - set secure ciphers from mozilla guidelines"
   lineinfile:
     dest=/etc/ssh/sshd_config
@@ -45 +49 @@
   notify: "restart sshd"
 
-- name: "sshd_config - set secure MACs from bettercrypto.orgi (Ubuntu)"
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
+
+- name: "sshd_config - set secure MACs from mozilla guidelines and ssh-audit.py"
   lineinfile:
     dest=/etc/ssh/sshd_config
-    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
-    state=present
-  notify: "restart sshd"
-
-- name: "sshd_config - set secure MACs from bettercrypto.org and ssh-audit.py (Debian)"
-  when: ansible_distribution == 'Debian'
-  lineinfile:
-    dest=/etc/ssh/sshd_config
-    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
+    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
     state=present
   notify: "restart sshd"
 
 
-- name: "sshd_config - set secure kex algos from bettercrypto.org (Ubuntu)"
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('16', '<=')
+    # line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
+- name: "sshd_config - set secure kex algos from mozilla guidelines"
   lineinfile:
     dest=/etc/ssh/sshd_config
-    line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
+    line='KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
     state=present
   notify: "restart sshd"
 
-- name: "sshd_config - set secure kex algos from bettercrypto.org (Debian)"
-  when: ansible_distribution == 'Debian'
+
+- name: "sshd_config - set log level"
   lineinfile:
-    dest=/etc/ssh/sshd_config
-    line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
-    state=present
+      dest: /etc/ssh/sshd_config
+      line: "LogLevel VERBOSE"
+      state: present
   notify: "restart sshd"
+
+
+- name: "sshd_config - enable sftp logging"
+  lineinfile:
+      dest: /etc/ssh/sshd_config
+      line: "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO"
+      regexp: "^Subsystem sftp  /usr/lib/openssh/sftp-server"
+      backrefs: yes
+      state: present
+  notify: "restart sshd"
+
+
+- name: "sshd_config - use privilage separation"
+  lineinfile:
+      dest: /etc/ssh/sshd_config
+      line: "UsePrivilegeSeparation sandbox"
+      state: present
+  notify: "restart sshd"
+
 
 - name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
   replace:
     dest=/etc/ssh/moduli
-    regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
+    regexp='^([0-9]+\s){4}([12][0-9]{3}\s)'
   notify: "restart sshd"