README.md

@@ -1,36 +1,17 @@
 ssh-hardening
 =========
 
-SSH server hardening, based on https://www.sshaudit.com & more
+SSH hardening, based on https://www.sshaudit.com & more
 
 Requirements
 ------------
 
-- OpenSSH versions 6.5+
+- tbd
 
 Role Variables
 --------------
 
-Defaults:
+- tbd
-- `ssh_hardening_hostkeys`: `rsa`, `ed25519`
-- `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519`
-- `ssh_hardening_moduli`: `/etc/ssh/moduli`
-- `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened`
-- `ssh_hardening_root_group`: `root`
-- `ssh_hardening_service_name`: `sshd`
-- `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config`
-
-Included via `vars/ssh_*`:
-- `ssh_hardening_opts`: Parameter/Values to set for specific SSH version
-
-Included via `vars/os_*`:
-- `ssh_hardening_moduli`
-- `ssh_hardening_moduli_backup`
-- `ssh_hardening_service_name`
-- `ssh_hardening_root_group`
-
-Command line variables (undefined):
-- `ssh_hardening_force`: version/id to include, overwrites detected version!
 
 Dependencies
 ------------
@@ -47,36 +28,26 @@ Example Playbook
 SSH versions
 ------------
 - 6.0: [_] Debian 7 "wheezy"
-- 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
+- 6.5: - (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
-- 6.6: ✅ Ubuntu 14.04 "trusty"
+- 6.6: Ubuntu 14.04 "trusty"
-- 6.7: ✅ Debian 8 "jessie"
+- 6.7: [_] Debian 8 "jessie"
 - 7.0:
 - 7.1:
-- 7.2: ✅ Ubuntu 16.04 "xenial"
+- 7.2: Ubuntu 16.04 "xenial"
-- 7.4: ✅ Debian 9 "stretch", ✅ RedHat 7 - (added `curve25519-sha256`)
+- 7.4: Debian 9 "stretch", RedHat 7 - (added `curve25519-sha256`)
-- 7.6: ✅ Ubuntu 18.04 "bionic"
+- 7.6: Ubuntu 18.04 "bionic"
 - 7.7:
 - 7.8:
-- 7.9: ✅ Debian 10 "buster"
+- 7.9: Debian 10 "buster"
-- 8.0: ✅ RedHat 8
+- 8.0: RedHat 8
-- 8.1: ✅ Suse 15.2
+- 8.1: Suse 15.2
-- 8.2: ✅ Ubuntu 20.04 "focal"
+- 8.2: Ubuntu 20.04 "focal"
 - 8.3:
-- 8.4: ✅ Alpine 3.13, ✅ Debian 11 "bullseye", ✅ Fedora 33, ✅ OpenSUSE 15.3/15.4
+- 8.4: Debian 11 "bullseye", Fedora 33, Suse 15.3
-- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
+- 8.5:
-- 8.6: ✅ Alpine 3.14, ✅ Fedora 34
+- 8.6: Fedora 34
-- 8.7: ✅ Fedora 35
+- 8.7: Fedora 35
-- 8.8: ✅ Alpine 3.15, ✅ Fedora 36, ✅ Fedora 37
+- 8.8: Archlinux, Voidlinux
-- 8.9: ✅ Ubuntu 22.04 "jammy"
-- 9.0: ✅ Alpine 3.16, ✅ Fedora 38, ✅ Ubuntu 22.10 "kinetic", ✅ Ubuntu 23.04 "lunar"
-- 9.1: ✅ Alpine 3.17
-- 9.2: ✅ Debian 12 "bookworm"
-- 9.3: ✅ Alpine 3.18, ✅ Fedora 39, ✅ Ubuntu 23.10 "mantic"
-- 9.4:
-- 9.5: 
-- 9.6: ✅ Alpine 3.19, Fedora 40, Ubuntu 24.04 "noble"
-- 9.7: ✅ Alpine 3.20
-- 9.8: Archlinux, ✅ Voidlinux
 
 License
 -------

defaults/main.yml

@@ -12,9 +12,5 @@ ssh_hardening_hostkeys_all:
 ssh_hardening_moduli: /etc/ssh/moduli
 ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
 
-ssh_hardening_root_group: root
-
-ssh_hardening_service_name: sshd
-
 ssh_hardening_sshd_config: /etc/ssh/sshd_config
 

handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Restart SSH
   service:
-    name: "{{ ssh_hardening_service_name }}"
+    name: "{{ ssh_hardening_service_name|default('sshd') }}"
     state: restarted
 
 

meta/main.yml

@@ -1,4 +1,3 @@
----
 galaxy_info:
   author: Sven Velt
   description: SSH hardening
@@ -7,7 +6,6 @@ galaxy_info:
   license: AGPL-3.0-or-later
   min_ansible_version: 2.1
   platforms:
-    - name: Alpine
     - name: Debian
       versions:
         - stretch

tasks/main.yml

@@ -2,34 +2,25 @@
 - name: Set some variables
   set_fact:
     ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
-    ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version|default(ansible_distribution_version) }}"
+    ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}"
 
 
 - name: Get SSH version number
-  shell: 'sshd -V 2>&1 | grep -Eo "OpenSSH_[0-9]+\.[0-9]+" | grep -Eo "[0-9]+\.[0-9]+"'
+  shell: 'ssh -V 2>&1 | grep -o "OpenSSH_[0-9]\+\.[0-9]" | grep -o "[0-9]\+\.[0-9]"'
   changed_when: False
   register: ssh_hardening_version
 
 
-- name: Read forced config file
-  include_vars: "ssh_{{ ssh_hardening_force }}.yml"
-  when: ssh_hardening_force is defined
-
-
 - name: Read SSH version config file
-  include_vars: "{{ item }}"
+  include_vars: "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"
-  with_first_found:
-      - "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"
-      - "ssh_default.yml"
-  when: ssh_hardening_force is not defined
 
 
 - name: Read distribution specific variables
   include_vars: "{{ item }}"
   with_first_found:
     - "os_{{ ssh_hardening_distri }}.yml"
-    - "os_{{ (ansible_distribution|lower).split(' ')[0] }}.yml"
+    - "os_{{ ansible_distribution_family }}.yml"
-    - "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml"
+    - "os_{{ ansible_os_family }}.yml"
     - "os_default.yml"
 
 
@@ -39,17 +30,19 @@
     dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
     remote_src: yes
     owner: root
-    group: "{{ ssh_hardening_root_group }}"
+    group: root
     mode: 0600
 
 ####################
 
-- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
+- name: "Hostkeys: Disable (EC)DSA"
   lineinfile:
     dest: "{{ ssh_hardening_sshd_config }}"
     regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
     state: absent
-  loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
+  loop:
+    - dsa
+    - ecdsa
   notify: Restart SSH
 
 
@@ -61,21 +54,6 @@
   loop: '{{ ssh_hardening_hostkeys }}'
   notify: Restart SSH
 
-
-- name: "Ensure ED25519 hostkey is available"
-  openssh_keypair:
-    path: /etc/ssh/ssh_host_ed25519_key
-    type: ed25519
-  when: '"ed25519" in ssh_hardening_hostkeys'
-
-
-- name: "Renew RSA hostkeys if too short"
-  openssh_keypair:
-    path: /etc/ssh/ssh_host_rsa_key
-    type: rsa
-    size: 4096
-  when: '"rsa" in ssh_hardening_hostkeys'
-
 ####################
 
 - name: "INCLUDE: Remove small Diffie-Hellman moduli"
@@ -83,62 +61,18 @@
 
 ####################
 
-- name: "Check for SSH include directory"
+- name: "Check for crypto-policies"
-  stat:
-    path: /etc/ssh/sshd_config.d
-  register: ssh_hardening_sshd_include_dir
-
-
-#- name: "SSH include directory exists"
-#  find:
-#    path: /etc/ssh/sshd_config.d
-#    pattern: "*.conf"
-#  register: ssh_hardening_sshd_include_files
-
-
-- name: "Check for crypto-policy file"
   stat:
     path: /etc/crypto-policies/back-ends/opensshserver.config
-  register: ssh_hardening_policy_file
+  register: ssh_hardening_use_policies
 
 
-- name: "BLOCK: what to do with crypto policy file"
+- name: "The (RedHat) crypto policy way..."
-  when: ssh_hardening_policy_file.stat.exists
-  block:
-
-    - name: "Get systemd service file location"
-      service:
-        name: "{{ ssh_hardening_service_name }}"
-      register: ssh_hardening_systemd_file
-
-    - name: "Check for USED crypto-policies variable"
-      command: "awk '/CRYPTO_POLICY/{print}' {{ ssh_hardening_systemd_file.status.FragmentPath }}"
-      changed_when: False
-      register: ssh_hardening_policy_var
-        # stdout == "" → SSH-Cfg in CP
-        # stdout != "" → Variablen in CP
-
-
-    # Nicht bei SUSE Tumbleweed!
-    - name: "(policy file) Move original link"
-      command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
-      args:
-        creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
-      when: ssh_hardening_policy_file.stat.islnk
-
-
-- name: "The (RedHat-8) crypto policy variable way..."
   include_tasks: restrictions_crypto_policy.yml
-  when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length > 0
+  when: ssh_hardening_use_policies.stat.exists
-
-
-- name: "The (RedHat-X) crypto policy include way..."
-  include_tasks: restrictions_crypto_policy_include.yml
-  when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length == 0 and ssh_hardening_policy_file.stat.exists
 
 
 - name: "The standard config way..."
   include_tasks: restrictions_configfile.yml
-  when: not ssh_hardening_policy_file.stat.exists
+  when: not ssh_hardening_use_policies.stat.exists
-
 

tasks/moduli.yml

@@ -11,13 +11,13 @@
 
 
 - name: 'Moduli: Check for small Diffie-Hellman moduli'
-  shell: "grep -Ec ' 1535 | 2047 ' {{ ssh_hardening_moduli }} || true"
+  shell: "grep -c ' 1535 \\| 2047 ' /etc/ssh/moduli || true"
   changed_when: False
   register: ssh_hardening_moduli_small
 
 
 - name: 'Moduli: Remove small Diffie-Hellman moduli'
-  shell: "TMPF=$(mktemp) && awk '$5 >= 3071' {{ ssh_hardening_moduli }} >${TMPF} && mv ${TMPF} {{ ssh_hardening_moduli }}"
+  shell: "TMPF=$(mktemp) && awk '$5 >= 3071' /etc/ssh/moduli >${TMPF} && mv ${TMPF} /etc/ssh/moduli"
   when: ssh_hardening_moduli_small.stdout|int > 0
 
 

tasks/restrictions_configfile.yml

@@ -1,6 +1,6 @@
 ---
 - name: Check for Include directory
-  shell: "awk '/^[^#]*Include/ { print $2; }' /etc/ssh/sshd_config"
+  shell: "awk '/Include/ { print $2; }' /etc/ssh/sshd_config"
   changed_when: False
   register: ssh_hardening_includedir
 

tasks/restrictions_crypto_policy.yml

@@ -1,12 +1,22 @@
 ---
+- name: Move original link
+  command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
+  args:
+    creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
+  when: ssh_hardening_use_policies.stat.islnk
+
+
 - name: Write new crypto policies
   template:
-    src: 'crypto-policies/opensshserver.config.j2'
+    src: '{{ item }}'
     dest: /etc/crypto-policies/back-ends/opensshserver.config
     owner: root
     group: root
     mode: 0644
     backup: yes
+  with_first_found:
+    - 'crypto-policies/opensshserver_{{ ansible_distribution|lower }}.config.j2'
+    - 'crypto-policies/opensshserver_{{ ansible_os_family|lower }}.config.j2'
   notify: Restart SSH
 
 

tasks/restrictions_crypto_policy_include.yml

@@ -1,12 +0,0 @@
----
-- name: Write restrictions to crypto-policy file
-  template:
-    src: 'sshd_config_hardening.j2'
-    dest: '/etc/crypto-policies/back-ends/opensshserver.config'
-    owner: root
-    group: root
-    mode: 0600
-    backup: yes
-  notify: Restart SSH
-
-

templates/crypto-policies/opensshserver.config.j2

@@ -1,2 +0,0 @@
-CRYPTO_POLICY='{% for key in ssh_hardening_opts %}-o{{ key }}={{ ssh_hardening_opts[key]|join(",") }} {% endfor %}'
-

templates/crypto-policies/opensshserver_fedora.config.j2

@@ -0,0 +1 @@
+../sshd_config_hardening.j2

templates/crypto-policies/opensshserver_redhat.config.j2

@@ -0,0 +1,2 @@
+CRYPTO_POLICY='-o{% for key in ssh_hardening_opts %}{{ key }}={{ ssh_hardening_opts[key]|join(",") }} {% endfor %}'
+

vars/os_freebsd.yml

@@ -1,3 +0,0 @@
----
-ssh_hardening_root_group: wheel
-

vars/os_netbsd.yml

@@ -1,6 +0,0 @@
----
-ssh_hardening_root_group: wheel
-
-ssh_hardening_moduli: /etc/moduli
-ssh_hardening_moduli_backup: /etc/moduli.not-hardened
-

vars/os_openbsd.yml

@@ -1,6 +0,0 @@
----
-ssh_hardening_root_group: wheel
-
-ssh_hardening_moduli: /etc/moduli
-ssh_hardening_moduli_backup: /etc/moduli.not-hardened
-

vars/os_ubuntu-14.yml

@@ -0,0 +1,4 @@
+---
+ssh_hardening_hostkeys:
+  - ed25519
+

vars/ssh_6.6.yml

@@ -1,9 +1,6 @@
 # 6.6: Ubuntu 14
 # 7.2: Ubuntu 16
 
-ssh_hardening_hostkeys:
-  - ed25519
-
 ssh_hardening_opts:
   KexAlgorithms:
     - curve25519-sha256@libssh.org

vars/ssh_6.7.yml

@@ -1 +0,0 @@
-ssh_6.6.yml

vars/ssh_7.4.yml

@@ -1,9 +1,6 @@
 # 7.4: Debian 9
 # 7.4: RedHat/CentOS 7
 
-ssh_hardening_hostkeys:
-  - ed25519
-
 ssh_hardening_opts:
   KexAlgorithms:
     - curve25519-sha256

vars/ssh_8.2.yml

@@ -1,5 +1,8 @@
-# 8.2: Ubuntu 20.04
+# 8.2: Ubuntu 10
 # 8.4: Debian 11 & Suse 15.3
+# 8.6: Fedora 34 (no diff in *hardened policy* to 8.4)
+# 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)
+# 8.8: Arch/Void
 
 ssh_hardening_opts:
   KexAlgorithms:
@@ -24,8 +27,8 @@ ssh_hardening_opts:
     - ssh-ed25519-cert-v01@openssh.com
     - sk-ssh-ed25519@openssh.com
     - sk-ssh-ed25519-cert-v01@openssh.com
-    - rsa-sha2-512
-    - rsa-sha2-512-cert-v01@openssh.com
     - rsa-sha2-256
+    - rsa-sha2-512
     - rsa-sha2-256-cert-v01@openssh.com
+    - rsa-sha2-512-cert-v01@openssh.com
 

vars/ssh_8.3.yml

@@ -1 +1 @@
-ssh_8.2.yml
+ssh_8.4.yml

vars/ssh_8.6.yml

@@ -0,0 +1 @@
+ssh_8.2.yml

vars/ssh_8.7.yml

@@ -0,0 +1 @@
+ssh_8.2.yml

vars/ssh_8.8.yml

@@ -0,0 +1 @@
+ssh_8.2.yml

vars/ssh_default.yml

@@ -1,35 +0,0 @@
-# 8.2: Ubuntu 20.04
-# 8.4: Debian 11 & Suse 15.3
-# 8.6: Fedora 34 (no diff in *hardened policy* to 8.4)
-# 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)
-# 8.9: Ubuntu 22.04
-
-ssh_hardening_opts:
-  KexAlgorithms:
-    - sntrup761x25519-sha512@openssh.com
-    - curve25519-sha256
-    - curve25519-sha256@libssh.org
-    - diffie-hellman-group16-sha512
-    - diffie-hellman-group18-sha512
-    - diffie-hellman-group-exchange-sha256
-  Ciphers:
-    - chacha20-poly1305@openssh.com
-    - aes256-gcm@openssh.com
-    - aes128-gcm@openssh.com
-    - aes256-ctr
-    - aes192-ctr
-    - aes128-ctr
-  MACs:
-    - hmac-sha2-256-etm@openssh.com
-    - hmac-sha2-512-etm@openssh.com
-    - umac-128-etm@openssh.com
-  HostKeyAlgorithms:
-    - ssh-ed25519
-    - ssh-ed25519-cert-v01@openssh.com
-    - sk-ssh-ed25519@openssh.com
-    - sk-ssh-ed25519-cert-v01@openssh.com
-    - rsa-sha2-512
-    - rsa-sha2-512-cert-v01@openssh.com
-    - rsa-sha2-256
-    - rsa-sha2-256-cert-v01@openssh.com
-

vars/ssh_stribika.yml

@@ -1,25 +0,0 @@
-
-ssh_hardening_opts:
-  KexAlgorithms:
-    - curve25519-sha256@libssh.org
-    - diffie-hellman-group-exchange-sha256
-  Ciphers:
-    - chacha20-poly1305@openssh.com
-    - aes256-gcm@openssh.com
-    - aes128-gcm@openssh.com
-    - aes256-ctr
-    - aes192-ctr
-    - aes128-ctr
-  MACs:
-    - hmac-sha2-512-etm@openssh.com
-    - hmac-sha2-256-etm@openssh.com
-    - umac-128-etm@openssh.com
-    - hmac-sha2-512
-    - hmac-sha2-256
-    - umac-128@openssh.com
-  HostKeyAlgorithms:
-    - ssh-ed25519-cert-v01@openssh.com
-    - ssh-rsa-cert-v01@openssh.com
-    - ssh-ed25519
-    - ssh-rsa
-