Ansible/ssh-hardening
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Wiki Activity
SSH hardening, based on https://www.sshaudit.com & more
33 commits 4 branches 2 tags 95 KiB
Jinja 100%
Find a file
Sven Velt 29c024f374 meta: add Alpine as supported platform
2024-11-19 22:03:19 +01:00
defaults Added OpenBSD support 2023-11-15 21:07:32 +01:00
handlers Big update to support RHEL9 & clones 2023-03-20 20:32:35 +01:00
meta meta: add Alpine as supported platform 2024-11-19 22:03:19 +01:00
tasks Fix version number when ssh client is not available 2024-11-11 12:26:12 +01:00
templates Big update to support RHEL9 & clones 2023-03-20 20:32:35 +01:00
vars WIP: support for FreeBSD and NetBSD 2024-07-10 11:22:11 +02:00
.gitignore Initial commit 2021-10-11 20:37:03 +00:00
LICENSE Initial commit 2021-10-11 20:37:03 +00:00
README.md Update README 2024-07-10 11:21:35 +02:00
ssh-hardening.yml First snapshot 2021-10-11 22:58:09 +02:00

README.md

ssh-hardening

SSH server hardening, based on https://www.sshaudit.com & more

Requirements

  • OpenSSH versions 6.5+

Role Variables

Defaults:

  • ssh_hardening_hostkeys: rsa, ed25519
  • ssh_hardening_hostkeys_all: dsa, ecdsa, rsa, ed25519
  • ssh_hardening_moduli: /etc/ssh/moduli
  • ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
  • ssh_hardening_root_group: root
  • ssh_hardening_service_name: sshd
  • ssh_hardening_sshd_config: /etc/ssh/sshd_config

Included via vars/ssh_*:

  • ssh_hardening_opts: Parameter/Values to set for specific SSH version

Included via vars/os_*:

  • ssh_hardening_moduli
  • ssh_hardening_moduli_backup
  • ssh_hardening_service_name
  • ssh_hardening_root_group

Command line variables (undefined):

  • ssh_hardening_force: version/id to include, overwrites detected version!

Dependencies

  • None

Example Playbook

- hosts: servers
  roles:
     - { role: ssh-hardening }

SSH versions

  • 6.0: [_] Debian 7 "wheezy"
  • 6.5: (support for curve25519-sha256@libssh.org, ssh-ed25519, chacha20-poly1305@openssh.com)
  • 6.6: Ubuntu 14.04 "trusty"
  • 6.7: Debian 8 "jessie"
  • 7.0:
  • 7.1:
  • 7.2: Ubuntu 16.04 "xenial"
  • 7.4: Debian 9 "stretch", RedHat 7 - (added curve25519-sha256)
  • 7.6: Ubuntu 18.04 "bionic"
  • 7.7:
  • 7.8:
  • 7.9: Debian 10 "buster"
  • 8.0: RedHat 8
  • 8.1: Suse 15.2
  • 8.2: Ubuntu 20.04 "focal"
  • 8.3:
  • 8.4: Alpine 3.13, Debian 11 "bullseye", Fedora 33, OpenSUSE 15.3/15.4
  • 8.5: (added sntrup761x25519-sha512@openssh.com)
  • 8.6: Alpine 3.14, Fedora 34
  • 8.7: Fedora 35
  • 8.8: Alpine 3.15, Fedora 36, Fedora 37
  • 8.9: Ubuntu 22.04 "jammy"
  • 9.0: Alpine 3.16, Fedora 38, Ubuntu 22.10 "kinetic", Ubuntu 23.04 "lunar"
  • 9.1: Alpine 3.17
  • 9.2: Debian 12 "bookworm"
  • 9.3: Alpine 3.18, Fedora 39, Ubuntu 23.10 "mantic"
  • 9.4:
  • 9.5:
  • 9.6: Alpine 3.19, Fedora 40, Ubuntu 24.04 "noble"
  • 9.7: Alpine 3.20
  • 9.8: Archlinux, Voidlinux

License

AGPL3.0-or-later

Author Information