ssh-hardening/tasks/main.yml

---
- name: Set some variables
  set_fact:
    ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
    ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}"


- name: Get SSH version number
  shell: 'ssh -V 2>&1 | grep -o "OpenSSH_[0-9]\+\.[0-9]" | grep -o "[0-9]\+\.[0-9]"'
  changed_when: False
  register: ssh_hardening_version


- name: Read SSH version config file
  include_vars: "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"


- name: Read distribution specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - "os_{{ ssh_hardening_distri }}.yml"
    - "os_{{ ansible_distribution_family }}.yml"
    - "os_{{ ansible_os_family }}.yml"
    - "os_default.yml"


- name: Backup sshd_config
  copy:
    src: "{{ ssh_hardening_sshd_config }}"
    dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
    remote_src: yes
    owner: root
    group: root
    mode: 0600

####################

- name: "Hostkeys: Disable (EC)DSA"
  lineinfile:
    dest: "{{ ssh_hardening_sshd_config }}"
    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
    state: absent
  loop:
    - dsa
    - ecdsa
  notify: Restart SSH


- name: "Hostkeys: Enable (RSA &) ED25519"
  lineinfile:
    dest: "{{ ssh_hardening_sshd_config }}"
    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
    line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
  loop: '{{ ssh_hardening_hostkeys }}'
  notify: Restart SSH

####################

- name: "INCLUDE: Remove small Diffie-Hellman moduli"
  include_tasks: moduli.yml

####################

- name: "Check for crypto-policies"
  stat:
    path: /etc/crypto-policies/back-ends/opensshserver.config
  register: ssh_hardening_use_policies


- name: "The (RedHat) crypto policy way..."
  include_tasks: restrictions_crypto_policy.yml
  when: ssh_hardening_use_policies.stat.exists


- name: "The standard config way..."
  include_tasks: restrictions_configfile.yml
  when: not ssh_hardening_use_policies.stat.exists
First snapshot 2021-10-11 20:58:09 +00:00			`---`
			`- name: Set some variables`
			`set_fact:`
			`ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"`
			`ssh_hardening_distri: "{{ (ansible_distribution\|lower).split(' ')[0] }}"`


			`- name: Get SSH version number`
			`shell: 'ssh -V 2>&1 \| grep -o "OpenSSH_[0-9]\+\.[0-9]" \| grep -o "[0-9]\+\.[0-9]"'`
			`changed_when: False`
			`register: ssh_hardening_version`


			`- name: Read SSH version config file`
			`include_vars: "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"`


			`- name: Read distribution specific variables`
			`include_vars: "{{ item }}"`
			`with_first_found:`
			`- "os_{{ ssh_hardening_distri }}.yml"`
			`- "os_{{ ansible_distribution_family }}.yml"`
			`- "os_{{ ansible_os_family }}.yml"`
			`- "os_default.yml"`


			`- name: Backup sshd_config`
			`copy:`
			`src: "{{ ssh_hardening_sshd_config }}"`
			`dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"`
			`remote_src: yes`
			`owner: root`
			`group: root`
			`mode: 0600`

			`####################`

			`- name: "Hostkeys: Disable (EC)DSA"`
			`lineinfile:`
			`dest: "{{ ssh_hardening_sshd_config }}"`
			`regexp: '(?i)\s#\shostkey.{{ item }}_key'`
			`state: absent`
			`loop:`
			`- dsa`
			`- ecdsa`
			`notify: Restart SSH`


			`- name: "Hostkeys: Enable (RSA &) ED25519"`
			`lineinfile:`
			`dest: "{{ ssh_hardening_sshd_config }}"`
			`regexp: '(?i)\s#\shostkey.{{ item }}_key'`
			`line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'`
			`loop: '{{ ssh_hardening_hostkeys }}'`
			`notify: Restart SSH`

			`####################`

			`- name: "INCLUDE: Remove small Diffie-Hellman moduli"`
			`include_tasks: moduli.yml`

			`####################`

			`- name: "Check for crypto-policies"`
			`stat:`
			`path: /etc/crypto-policies/back-ends/opensshserver.config`
			`register: ssh_hardening_use_policies`


			`- name: "The (RedHat) crypto policy way..."`
			`include_tasks: restrictions_crypto_policy.yml`
			`when: ssh_hardening_use_policies.stat.exists`


			`- name: "The standard config way..."`
			`include_tasks: restrictions_configfile.yml`
			`when: not ssh_hardening_use_policies.stat.exists`