From 7813933ad6047b58f8707071844f99c36cca0aef Mon Sep 17 00:00:00 2001 From: Sven Velt Date: Tue, 19 Oct 2021 10:24:47 +0200 Subject: [PATCH] Disable RSA for old SSH versions closes #10 --- tasks/main.yml | 6 ++---- vars/os_ubuntu-14.yml | 4 ---- vars/ssh_6.6.yml | 3 +++ vars/ssh_7.4.yml | 3 +++ vars/ssh_8.2.yml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) delete mode 100644 vars/os_ubuntu-14.yml diff --git a/tasks/main.yml b/tasks/main.yml index 1966cb1..2dc0589 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,14 +41,12 @@ #################### -- name: "Hostkeys: Disable (EC)DSA" +- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)" lineinfile: dest: "{{ ssh_hardening_sshd_config }}" regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' state: absent - loop: - - dsa - - ecdsa + loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}" notify: Restart SSH diff --git a/vars/os_ubuntu-14.yml b/vars/os_ubuntu-14.yml deleted file mode 100644 index 676f17b..0000000 --- a/vars/os_ubuntu-14.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -ssh_hardening_hostkeys: - - ed25519 - diff --git a/vars/ssh_6.6.yml b/vars/ssh_6.6.yml index df63763..371776b 100644 --- a/vars/ssh_6.6.yml +++ b/vars/ssh_6.6.yml @@ -1,6 +1,9 @@ # 6.6: Ubuntu 14 # 7.2: Ubuntu 16 +ssh_hardening_hostkeys: + - ed25519 + ssh_hardening_opts: KexAlgorithms: - curve25519-sha256@libssh.org diff --git a/vars/ssh_7.4.yml b/vars/ssh_7.4.yml index 495a609..43cefe2 100644 --- a/vars/ssh_7.4.yml +++ b/vars/ssh_7.4.yml @@ -1,6 +1,9 @@ # 7.4: Debian 9 # 7.4: RedHat/CentOS 7 +ssh_hardening_hostkeys: + - ed25519 + ssh_hardening_opts: KexAlgorithms: - curve25519-sha256 diff --git a/vars/ssh_8.2.yml b/vars/ssh_8.2.yml index c36736e..9d6be5d 100644 --- a/vars/ssh_8.2.yml +++ b/vars/ssh_8.2.yml @@ -1,4 +1,4 @@ -# 8.2: Ubuntu 10 +# 8.2: Ubuntu 20.04 # 8.4: Debian 11 & Suse 15.3 # 8.6: Fedora 34 (no diff in *hardened policy* to 8.4) # 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)