WIP: support for FreeBSD and NetBSD

Reviewed-on: #17

README.md

@@ -16,11 +16,19 @@ Defaults:
 - `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519`
 - `ssh_hardening_moduli`: `/etc/ssh/moduli`
 - `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened`
+- `ssh_hardening_root_group`: `root`
+- `ssh_hardening_service_name`: `sshd`
 - `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config`
 
 Included via `vars/ssh_*`:
 - `ssh_hardening_opts`: Parameter/Values to set for specific SSH version
 
+Included via `vars/os_*`:
+- `ssh_hardening_moduli`
+- `ssh_hardening_moduli_backup`
+- `ssh_hardening_service_name`
+- `ssh_hardening_root_group`
+
 Command line variables (undefined):
 - `ssh_hardening_force`: version/id to include, overwrites detected version!
 
@@ -40,29 +48,35 @@ SSH versions
 ------------
 - 6.0: [_] Debian 7 "wheezy"
 - 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
-- 6.6: Ubuntu 14.04 "trusty"
+- 6.6: ✅ Ubuntu 14.04 "trusty"
-- 6.7: [_] Debian 8 "jessie"
+- 6.7: ✅ Debian 8 "jessie"
 - 7.0:
 - 7.1:
-- 7.2: Ubuntu 16.04 "xenial"
+- 7.2: ✅ Ubuntu 16.04 "xenial"
-- 7.4: Debian 9 "stretch", RedHat 7 - (added `curve25519-sha256`)
+- 7.4: ✅ Debian 9 "stretch", ✅ RedHat 7 - (added `curve25519-sha256`)
-- 7.6: Ubuntu 18.04 "bionic"
+- 7.6: ✅ Ubuntu 18.04 "bionic"
 - 7.7:
 - 7.8:
-- 7.9: Debian 10 "buster"
+- 7.9: ✅ Debian 10 "buster"
-- 8.0: RedHat 8
+- 8.0: ✅ RedHat 8
-- 8.1: Suse 15.2
+- 8.1: ✅ Suse 15.2
-- 8.2: Ubuntu 20.04 "focal"
+- 8.2: ✅ Ubuntu 20.04 "focal"
 - 8.3:
-- 8.4: Alpine 3.13, Debian 11 "bullseye", Fedora 33, OpenSUSE 15.3/15.4
+- 8.4: ✅ Alpine 3.13, ✅ Debian 11 "bullseye", ✅ Fedora 33, ✅ OpenSUSE 15.3/15.4
 - 8.5: (added `sntrup761x25519-sha512@openssh.com`)
-- 8.6: Alpine 3.14, Fedora 34
+- 8.6: ✅ Alpine 3.14, ✅ Fedora 34
-- 8.7: Fedora 35
+- 8.7: ✅ Fedora 35
-- 8.8: Alpine 3.15, Fedora 36, Fedora 37
+- 8.8: ✅ Alpine 3.15, ✅ Fedora 36, ✅ Fedora 37
-- 8.9: Ubuntu 22.04 "jammy"
+- 8.9: ✅ Ubuntu 22.04 "jammy"
-- 9.0: Alpine 3.16, Ubuntu 22.10 "kinetic"
+- 9.0: ✅ Alpine 3.16, ✅ Fedora 38, ✅ Ubuntu 22.10 "kinetic", ✅ Ubuntu 23.04 "lunar"
-- 9.1: Alpine 3.17
+- 9.1: ✅ Alpine 3.17
-- 9.2: Archlinux, Voidlinux, (Debian 12 "bookworm")
+- 9.2: ✅ Debian 12 "bookworm"
+- 9.3: ✅ Alpine 3.18, ✅ Fedora 39, ✅ Ubuntu 23.10 "mantic"
+- 9.4:
+- 9.5: 
+- 9.6: ✅ Alpine 3.19, Fedora 40, Ubuntu 24.04 "noble"
+- 9.7: ✅ Alpine 3.20
+- 9.8: Archlinux, ✅ Voidlinux
 
 License
 -------

defaults/main.yml

@@ -12,6 +12,8 @@ ssh_hardening_hostkeys_all:
 ssh_hardening_moduli: /etc/ssh/moduli
 ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
 
+ssh_hardening_root_group: root
+
 ssh_hardening_service_name: sshd
 
 ssh_hardening_sshd_config: /etc/ssh/sshd_config

tasks/main.yml

@@ -2,11 +2,11 @@
 - name: Set some variables
   set_fact:
     ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
-    ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version }}"
+    ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version|default(ansible_distribution_version) }}"
 
 
 - name: Get SSH version number
-  shell: 'ssh -V 2>&1 | grep -o "OpenSSH_[0-9]\+\.[0-9]" | grep -o "[0-9]\+\.[0-9]"'
+  shell: 'ssh -V 2>&1 | grep -Eo "OpenSSH_[0-9]+\.[0-9]+" | grep -Eo "[0-9]+\.[0-9]+"'
   changed_when: False
   register: ssh_hardening_version
 
@@ -39,7 +39,7 @@
     dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
     remote_src: yes
     owner: root
-    group: root
+    group: "{{ ssh_hardening_root_group }}"
     mode: 0600
 
 ####################
@@ -62,6 +62,13 @@
   notify: Restart SSH
 
 
+- name: "Ensure ED25519 hostkey is available"
+  openssh_keypair:
+    path: /etc/ssh/ssh_host_ed25519_key
+    type: ed25519
+  when: '"ed25519" in ssh_hardening_hostkeys'
+
+
 - name: "Renew RSA hostkeys if too short"
   openssh_keypair:
     path: /etc/ssh/ssh_host_rsa_key

tasks/moduli.yml

@@ -11,13 +11,13 @@
 
 
 - name: 'Moduli: Check for small Diffie-Hellman moduli'
-  shell: "grep -c ' 1535 \\| 2047 ' /etc/ssh/moduli || true"
+  shell: "grep -Ec ' 1535 | 2047 ' {{ ssh_hardening_moduli }} || true"
   changed_when: False
   register: ssh_hardening_moduli_small
 
 
 - name: 'Moduli: Remove small Diffie-Hellman moduli'
-  shell: "TMPF=$(mktemp) && awk '$5 >= 3071' /etc/ssh/moduli >${TMPF} && mv ${TMPF} /etc/ssh/moduli"
+  shell: "TMPF=$(mktemp) && awk '$5 >= 3071' {{ ssh_hardening_moduli }} >${TMPF} && mv ${TMPF} {{ ssh_hardening_moduli }}"
   when: ssh_hardening_moduli_small.stdout|int > 0
 
 

tasks/restrictions_configfile.yml

@@ -1,6 +1,6 @@
 ---
 - name: Check for Include directory
-  shell: "awk '/Include/ { print $2; }' /etc/ssh/sshd_config"
+  shell: "awk '/^[^#]*Include/ { print $2; }' /etc/ssh/sshd_config"
   changed_when: False
   register: ssh_hardening_includedir
 

vars/os_freebsd.yml

@@ -0,0 +1,3 @@
+---
+ssh_hardening_root_group: wheel
+

vars/os_netbsd.yml

@@ -0,0 +1,6 @@
+---
+ssh_hardening_root_group: wheel
+
+ssh_hardening_moduli: /etc/moduli
+ssh_hardening_moduli_backup: /etc/moduli.not-hardened
+

vars/os_openbsd.yml

@@ -0,0 +1,6 @@
+---
+ssh_hardening_root_group: wheel
+
+ssh_hardening_moduli: /etc/moduli
+ssh_hardening_moduli_backup: /etc/moduli.not-hardened
+

vars/ssh_6.7.yml

@@ -0,0 +1 @@
+ssh_6.6.yml