6f39d8db09
Old sshd do not know about "-V" but output help output - with SSH version number (without pX). Works because stderr is redirected to stdin and output of version string looks familiar to grep expressions :) % sshd -V unknown option -- V OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
145 lines
4.2 KiB
YAML
145 lines
4.2 KiB
YAML
---
|
|
- name: Set some variables
|
|
set_fact:
|
|
ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
|
|
ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version|default(ansible_distribution_version) }}"
|
|
|
|
|
|
- name: Get SSH version number
|
|
shell: 'sshd -V 2>&1 | grep -Eo "OpenSSH_[0-9]+\.[0-9]+" | grep -Eo "[0-9]+\.[0-9]+"'
|
|
changed_when: False
|
|
register: ssh_hardening_version
|
|
|
|
|
|
- name: Read forced config file
|
|
include_vars: "ssh_{{ ssh_hardening_force }}.yml"
|
|
when: ssh_hardening_force is defined
|
|
|
|
|
|
- name: Read SSH version config file
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"
|
|
- "ssh_default.yml"
|
|
when: ssh_hardening_force is not defined
|
|
|
|
|
|
- name: Read distribution specific variables
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "os_{{ ssh_hardening_distri }}.yml"
|
|
- "os_{{ (ansible_distribution|lower).split(' ')[0] }}.yml"
|
|
- "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml"
|
|
- "os_default.yml"
|
|
|
|
|
|
- name: Backup sshd_config
|
|
copy:
|
|
src: "{{ ssh_hardening_sshd_config }}"
|
|
dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
|
|
remote_src: yes
|
|
owner: root
|
|
group: "{{ ssh_hardening_root_group }}"
|
|
mode: 0600
|
|
|
|
####################
|
|
|
|
- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
|
|
lineinfile:
|
|
dest: "{{ ssh_hardening_sshd_config }}"
|
|
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
|
|
state: absent
|
|
loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
|
|
notify: Restart SSH
|
|
|
|
|
|
- name: "Hostkeys: Enable (RSA &) ED25519"
|
|
lineinfile:
|
|
dest: "{{ ssh_hardening_sshd_config }}"
|
|
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
|
|
line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
|
|
loop: '{{ ssh_hardening_hostkeys }}'
|
|
notify: Restart SSH
|
|
|
|
|
|
- name: "Ensure ED25519 hostkey is available"
|
|
openssh_keypair:
|
|
path: /etc/ssh/ssh_host_ed25519_key
|
|
type: ed25519
|
|
when: '"ed25519" in ssh_hardening_hostkeys'
|
|
|
|
|
|
- name: "Renew RSA hostkeys if too short"
|
|
openssh_keypair:
|
|
path: /etc/ssh/ssh_host_rsa_key
|
|
type: rsa
|
|
size: 4096
|
|
when: '"rsa" in ssh_hardening_hostkeys'
|
|
|
|
####################
|
|
|
|
- name: "INCLUDE: Remove small Diffie-Hellman moduli"
|
|
include_tasks: moduli.yml
|
|
|
|
####################
|
|
|
|
- name: "Check for SSH include directory"
|
|
stat:
|
|
path: /etc/ssh/sshd_config.d
|
|
register: ssh_hardening_sshd_include_dir
|
|
|
|
|
|
#- name: "SSH include directory exists"
|
|
# find:
|
|
# path: /etc/ssh/sshd_config.d
|
|
# pattern: "*.conf"
|
|
# register: ssh_hardening_sshd_include_files
|
|
|
|
|
|
- name: "Check for crypto-policy file"
|
|
stat:
|
|
path: /etc/crypto-policies/back-ends/opensshserver.config
|
|
register: ssh_hardening_policy_file
|
|
|
|
|
|
- name: "BLOCK: what to do with crypto policy file"
|
|
when: ssh_hardening_policy_file.stat.exists
|
|
block:
|
|
|
|
- name: "Get systemd service file location"
|
|
service:
|
|
name: "{{ ssh_hardening_service_name }}"
|
|
register: ssh_hardening_systemd_file
|
|
|
|
- name: "Check for USED crypto-policies variable"
|
|
command: "awk '/CRYPTO_POLICY/{print}' {{ ssh_hardening_systemd_file.status.FragmentPath }}"
|
|
changed_when: False
|
|
register: ssh_hardening_policy_var
|
|
# stdout == "" → SSH-Cfg in CP
|
|
# stdout != "" → Variablen in CP
|
|
|
|
|
|
# Nicht bei SUSE Tumbleweed!
|
|
- name: "(policy file) Move original link"
|
|
command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
|
|
args:
|
|
creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
|
|
when: ssh_hardening_policy_file.stat.islnk
|
|
|
|
|
|
- name: "The (RedHat-8) crypto policy variable way..."
|
|
include_tasks: restrictions_crypto_policy.yml
|
|
when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length > 0
|
|
|
|
|
|
- name: "The (RedHat-X) crypto policy include way..."
|
|
include_tasks: restrictions_crypto_policy_include.yml
|
|
when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length == 0 and ssh_hardening_policy_file.stat.exists
|
|
|
|
|
|
- name: "The standard config way..."
|
|
include_tasks: restrictions_configfile.yml
|
|
when: not ssh_hardening_policy_file.stat.exists
|
|
|
|
|