ssh-hardening/README.md

ssh-hardening
=========

SSH server hardening, based on https://www.sshaudit.com & more

Requirements
------------

- OpenSSH versions 6.5+

Role Variables
--------------

Defaults:
- `ssh_hardening_hostkeys`: `rsa`, `ed25519`
- `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519`
- `ssh_hardening_moduli`: `/etc/ssh/moduli`
- `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened`
- `ssh_hardening_root_group`: `root`
- `ssh_hardening_service_name`: `sshd`
- `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config`

Included via `vars/ssh_*`:
- `ssh_hardening_opts`: Parameter/Values to set for specific SSH version

Included via `vars/os_*`:
- `ssh_hardening_moduli`
- `ssh_hardening_moduli_backup`
- `ssh_hardening_service_name`
- `ssh_hardening_root_group`

Command line variables (undefined):
- `ssh_hardening_force`: version/id to include, overwrites detected version!

Dependencies
------------

- None

Example Playbook
----------------

    - hosts: servers
      roles:
         - { role: ssh-hardening }

SSH versions
------------
- 6.0: [_] Debian 7 "wheezy"
- 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
- 6.6: ✅ Ubuntu 14.04 "trusty"
- 6.7: ✅ Debian 8 "jessie"
- 7.0:
- 7.1:
- 7.2: ✅ Ubuntu 16.04 "xenial"
- 7.4: ✅ Debian 9 "stretch", ✅ RedHat 7 - (added `curve25519-sha256`)
- 7.6: ✅ Ubuntu 18.04 "bionic"
- 7.7:
- 7.8:
- 7.9: ✅ Debian 10 "buster"
- 8.0: ✅ RedHat 8
- 8.1: ✅ Suse 15.2
- 8.2: ✅ Ubuntu 20.04 "focal"
- 8.3:
- 8.4: ✅ Alpine 3.13, ✅ Debian 11 "bullseye", ✅ Fedora 33, ✅ OpenSUSE 15.3/15.4
- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
- 8.6: ✅ Alpine 3.14, ✅ Fedora 34
- 8.7: ✅ Fedora 35
- 8.8: ✅ Alpine 3.15, ✅ Fedora 36, ✅ Fedora 37
- 8.9: ✅ Ubuntu 22.04 "jammy"
- 9.0: ✅ Alpine 3.16, ✅ Fedora 38, ✅ Ubuntu 22.10 "kinetic", ✅ Ubuntu 23.04 "lunar"
- 9.1: ✅ Alpine 3.17
- 9.2: ✅ Debian 12 "bookworm"
- 9.3: ✅ Alpine 3.18, ✅ Fedora 39, ✅ Ubuntu 23.10 "mantic"
- 9.4:
- 9.5: 
- 9.6: ✅ Alpine 3.19, Fedora 40, Ubuntu 24.04 "noble"
- 9.7: ✅ Alpine 3.20
- 9.8: Archlinux, ✅ Voidlinux

License
-------

AGPL3.0-or-later

Author Information
------------------

- Sven Velt <sven-ansiblerole@velt.biz>
- https://git.velt.biz/
First snapshot 2021-10-11 20:58:09 +00:00			`ssh-hardening`
			`=========`

README updated 2022-05-12 13:10:32 +00:00			`SSH server hardening, based on https://www.sshaudit.com & more`
First snapshot 2021-10-11 20:58:09 +00:00
			`Requirements`
			`------------`

README updated 2022-05-12 13:10:32 +00:00			`- OpenSSH versions 6.5+`
First snapshot 2021-10-11 20:58:09 +00:00
			`Role Variables`
			`--------------`

README updated 2022-05-12 13:10:32 +00:00			`Defaults:`
			- `ssh_hardening_hostkeys`: `rsa`, `ed25519`
			- `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519`
			- `ssh_hardening_moduli`: `/etc/ssh/moduli`
			- `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened`
Added OpenBSD support 2023-11-15 20:07:32 +00:00			- `ssh_hardening_root_group`: `root`
README: Fixes 2023-11-15 20:01:41 +00:00			- `ssh_hardening_service_name`: `sshd`
README updated 2022-05-12 13:10:32 +00:00			- `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config`

			Included via `vars/ssh_*`:
			- `ssh_hardening_opts`: Parameter/Values to set for specific SSH version

README: Fixes 2023-11-15 20:01:41 +00:00			Included via `vars/os_*`:
Added OpenBSD support 2023-11-15 20:07:32 +00:00			- `ssh_hardening_moduli`
			- `ssh_hardening_moduli_backup`
README: Fixes 2023-11-15 20:01:41 +00:00			- `ssh_hardening_service_name`
Added OpenBSD support 2023-11-15 20:07:32 +00:00			- `ssh_hardening_root_group`
README: Fixes 2023-11-15 20:01:41 +00:00
README updated 2022-05-12 13:10:32 +00:00			`Command line variables (undefined):`
			- `ssh_hardening_force`: version/id to include, overwrites detected version!
First snapshot 2021-10-11 20:58:09 +00:00
			`Dependencies`
			`------------`

			`- None`

			`Example Playbook`
			`----------------`

			`- hosts: servers`
			`roles:`
			`- { role: ssh-hardening }`

Add SSH versions in the wild List of all SSH versions I found. 2021-10-12 10:12:58 +00:00			`SSH versions`
			`------------`
			`- 6.0: [_] Debian 7 "wheezy"`
Big update to support RHEL9 & clones Now crypto-policies include SSH options (not command line arguments) 2023-03-20 19:32:35 +00:00			- 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
Update README 2024-07-10 09:21:35 +00:00			`- 6.6: ✅ Ubuntu 14.04 "trusty"`
			`- 6.7: ✅ Debian 8 "jessie"`
Add SSH versions in the wild List of all SSH versions I found. 2021-10-12 10:12:58 +00:00			`- 7.0:`
			`- 7.1:`
Update README 2024-07-10 09:21:35 +00:00			`- 7.2: ✅ Ubuntu 16.04 "xenial"`
			- 7.4: ✅ Debian 9 "stretch", ✅ RedHat 7 - (added `curve25519-sha256`)
			`- 7.6: ✅ Ubuntu 18.04 "bionic"`
Add SSH versions in the wild List of all SSH versions I found. 2021-10-12 10:12:58 +00:00			`- 7.7:`
			`- 7.8:`
Update README 2024-07-10 09:21:35 +00:00			`- 7.9: ✅ Debian 10 "buster"`
			`- 8.0: ✅ RedHat 8`
			`- 8.1: ✅ Suse 15.2`
			`- 8.2: ✅ Ubuntu 20.04 "focal"`
Add SSH versions in the wild List of all SSH versions I found. 2021-10-12 10:12:58 +00:00			`- 8.3:`
Update README 2024-07-10 09:21:35 +00:00			`- 8.4: ✅ Alpine 3.13, ✅ Debian 11 "bullseye", ✅ Fedora 33, ✅ OpenSUSE 15.3/15.4`
Use sntrup761x25519-sha512@openssh.com beginning with 8.5 2022-09-30 18:36:39 +00:00			- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
Update README 2024-07-10 09:21:35 +00:00			`- 8.6: ✅ Alpine 3.14, ✅ Fedora 34`
			`- 8.7: ✅ Fedora 35`
			`- 8.8: ✅ Alpine 3.15, ✅ Fedora 36, ✅ Fedora 37`
			`- 8.9: ✅ Ubuntu 22.04 "jammy"`
			`- 9.0: ✅ Alpine 3.16, ✅ Fedora 38, ✅ Ubuntu 22.10 "kinetic", ✅ Ubuntu 23.04 "lunar"`
			`- 9.1: ✅ Alpine 3.17`
			`- 9.2: ✅ Debian 12 "bookworm"`
			`- 9.3: ✅ Alpine 3.18, ✅ Fedora 39, ✅ Ubuntu 23.10 "mantic"`
README: Update version numbers 2023-11-15 20:01:52 +00:00			`- 9.4:`
Update README 2024-07-10 09:21:35 +00:00			`- 9.5:`
			`- 9.6: ✅ Alpine 3.19, Fedora 40, Ubuntu 24.04 "noble"`
			`- 9.7: ✅ Alpine 3.20`
			`- 9.8: Archlinux, ✅ Voidlinux`
Add SSH versions in the wild List of all SSH versions I found. 2021-10-12 10:12:58 +00:00
First snapshot 2021-10-11 20:58:09 +00:00			`License`
			`-------`

			`AGPL3.0-or-later`

			`Author Information`
			`------------------`

			`- Sven Velt <sven-ansiblerole@velt.biz>`
			`- https://git.velt.biz/`
Initial commit 2021-10-11 20:37:03 +00:00