Ansible/ssh-hardening
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Wiki Activity

Disable RSA for old SSH versions

Browse source 
closes #10
This commit is contained in:
Sven Velt 2021-10-19 10:24:47 +02:00
parent ed24147b3a
commit 7813933ad6
5 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
tasks/main.yml
View file

@ -41,14 +41,12 @@
#################### ####################
- name: "Hostkeys: Disable (EC)DSA" - name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
lineinfile: lineinfile:
dest: "{{ ssh_hardening_sshd_config }}" dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
state: absent state: absent
loop: loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
- dsa
- ecdsa
notify: Restart SSH notify: Restart SSH

4
vars/os_ubuntu-14.yml
View file

@ -1,4 +0,0 @@
---
ssh_hardening_hostkeys:
- ed25519

3
vars/ssh_6.6.yml
View file

@ -1,6 +1,9 @@
# 6.6: Ubuntu 14 # 6.6: Ubuntu 14
# 7.2: Ubuntu 16 # 7.2: Ubuntu 16
ssh_hardening_hostkeys:
- ed25519
ssh_hardening_opts: ssh_hardening_opts:
KexAlgorithms: KexAlgorithms:
- curve25519-sha256@libssh.org - curve25519-sha256@libssh.org

3
vars/ssh_7.4.yml
View file

@ -1,6 +1,9 @@
# 7.4: Debian 9 # 7.4: Debian 9
# 7.4: RedHat/CentOS 7 # 7.4: RedHat/CentOS 7
ssh_hardening_hostkeys:
- ed25519
ssh_hardening_opts: ssh_hardening_opts:
KexAlgorithms: KexAlgorithms:
- curve25519-sha256 - curve25519-sha256

2
vars/ssh_8.2.yml
View file

@ -1,4 +1,4 @@
# 8.2: Ubuntu 10 # 8.2: Ubuntu 20.04
# 8.4: Debian 11 & Suse 15.3 # 8.4: Debian 11 & Suse 15.3
# 8.6: Fedora 34 (no diff in *hardened policy* to 8.4) # 8.6: Fedora 34 (no diff in *hardened policy* to 8.4)
# 8.7: Fedora 35 (no diff in *hardened policy* to 8.4) # 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)