--- - name: Set some variables set_fact: ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~" ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version|default(ansible_distribution_version) }}" - name: Get SSH version number shell: 'ssh -V 2>&1 | grep -Eo "OpenSSH_[0-9]+\.[0-9]+" | grep -Eo "[0-9]+\.[0-9]+"' changed_when: False register: ssh_hardening_version - name: Read forced config file include_vars: "ssh_{{ ssh_hardening_force }}.yml" when: ssh_hardening_force is defined - name: Read SSH version config file include_vars: "{{ item }}" with_first_found: - "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml" - "ssh_default.yml" when: ssh_hardening_force is not defined - name: Read distribution specific variables include_vars: "{{ item }}" with_first_found: - "os_{{ ssh_hardening_distri }}.yml" - "os_{{ (ansible_distribution|lower).split(' ')[0] }}.yml" - "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml" - "os_default.yml" - name: Backup sshd_config copy: src: "{{ ssh_hardening_sshd_config }}" dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}" remote_src: yes owner: root group: "{{ ssh_hardening_root_group }}" mode: 0600 #################### - name: "Hostkeys: Disable (EC)DSA (and maybe RSA)" lineinfile: dest: "{{ ssh_hardening_sshd_config }}" regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' state: absent loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}" notify: Restart SSH - name: "Hostkeys: Enable (RSA &) ED25519" lineinfile: dest: "{{ ssh_hardening_sshd_config }}" regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key' loop: '{{ ssh_hardening_hostkeys }}' notify: Restart SSH - name: "Renew RSA hostkeys if too short" openssh_keypair: path: /etc/ssh/ssh_host_rsa_key type: rsa size: 4096 when: '"rsa" in ssh_hardening_hostkeys' #################### - name: "INCLUDE: Remove small Diffie-Hellman moduli" include_tasks: moduli.yml #################### - name: "Check for SSH include directory" stat: path: /etc/ssh/sshd_config.d register: ssh_hardening_sshd_include_dir #- name: "SSH include directory exists" # find: # path: /etc/ssh/sshd_config.d # pattern: "*.conf" # register: ssh_hardening_sshd_include_files - name: "Check for crypto-policy file" stat: path: /etc/crypto-policies/back-ends/opensshserver.config register: ssh_hardening_policy_file - name: "BLOCK: what to do with crypto policy file" when: ssh_hardening_policy_file.stat.exists block: - name: "Get systemd service file location" service: name: "{{ ssh_hardening_service_name }}" register: ssh_hardening_systemd_file - name: "Check for USED crypto-policies variable" command: "awk '/CRYPTO_POLICY/{print}' {{ ssh_hardening_systemd_file.status.FragmentPath }}" changed_when: False register: ssh_hardening_policy_var # stdout == "" → SSH-Cfg in CP # stdout != "" → Variablen in CP # Nicht bei SUSE Tumbleweed! - name: "(policy file) Move original link" command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened args: creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened when: ssh_hardening_policy_file.stat.islnk - name: "The (RedHat-8) crypto policy variable way..." include_tasks: restrictions_crypto_policy.yml when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length > 0 - name: "The (RedHat-X) crypto policy include way..." include_tasks: restrictions_crypto_policy_include.yml when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length == 0 and ssh_hardening_policy_file.stat.exists - name: "The standard config way..." include_tasks: restrictions_configfile.yml when: not ssh_hardening_policy_file.stat.exists