ssh-hardening ========= SSH server hardening, based on https://www.sshaudit.com & more Requirements ------------ - OpenSSH versions 6.5+ Role Variables -------------- Defaults: - `ssh_hardening_hostkeys`: `rsa`, `ed25519` - `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519` - `ssh_hardening_moduli`: `/etc/ssh/moduli` - `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened` - `ssh_hardening_service_name`: `sshd` - `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config` Included via `vars/ssh_*`: - `ssh_hardening_opts`: Parameter/Values to set for specific SSH version Included via `vars/os_*`: - `ssh_hardening_service_name` Command line variables (undefined): - `ssh_hardening_force`: version/id to include, overwrites detected version! Dependencies ------------ - None Example Playbook ---------------- - hosts: servers roles: - { role: ssh-hardening } SSH versions ------------ - 6.0: [_] Debian 7 "wheezy" - 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`) - 6.6: Ubuntu 14.04 "trusty" - 6.7: [_] Debian 8 "jessie" - 7.0: - 7.1: - 7.2: Ubuntu 16.04 "xenial" - 7.4: Debian 9 "stretch", RedHat 7 - (added `curve25519-sha256`) - 7.6: Ubuntu 18.04 "bionic" - 7.7: - 7.8: - 7.9: Debian 10 "buster" - 8.0: RedHat 8 - 8.1: Suse 15.2 - 8.2: Ubuntu 20.04 "focal" - 8.3: - 8.4: Alpine 3.13, Debian 11 "bullseye", Fedora 33, OpenSUSE 15.3/15.4 - 8.5: (added `sntrup761x25519-sha512@openssh.com`) - 8.6: Alpine 3.14, Fedora 34 - 8.7: Fedora 35 - 8.8: Alpine 3.15, Fedora 36, Fedora 37 - 8.9: Ubuntu 22.04 "jammy" - 9.0: Alpine 3.16, Fedora 38, Ubuntu 22.10 "kinetic", Ubuntu 23.04 "lunar" - 9.1: Alpine 3.17 - 9.2: Debian 12 "bookworm" - 9.3: Alpine 3.18, Fedora 39, Ubuntu 23.10 "mantic" - 9.4: - 9.5: Archlinux, Voidlinux License ------- AGPL3.0-or-later Author Information ------------------ - Sven Velt - https://git.velt.biz/