ssh-hardening

SSH server hardening, based on https://www.sshaudit.com & more

Requirements

• OpenSSH versions 6.5+

Role Variables

Defaults:

• ssh_hardening_hostkeys: rsa, ed25519
• ssh_hardening_hostkeys_all: dsa, ecdsa, rsa, ed25519
• ssh_hardening_moduli: /etc/ssh/moduli
• ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
• ssh_hardening_sshd_config: /etc/ssh/sshd_config

Included via vars/ssh_*:

• ssh_hardening_opts: Parameter/Values to set for specific SSH version

Command line variables (undefined):

• ssh_hardening_force: version/id to include, overwrites detected version!

Dependencies

• None

Example Playbook

- hosts: servers
  roles:
     - { role: ssh-hardening }

SSH versions

• 6.0: [_] Debian 7 "wheezy"
• 6.5: - (support for curve25519-sha256@libssh.org, ssh-ed25519, chacha20-poly1305@openssh.com)
• 6.6: Ubuntu 14.04 "trusty"
• 6.7: [_] Debian 8 "jessie"
• 7.0:
• 7.1:
• 7.2: Ubuntu 16.04 "xenial"
• 7.4: Debian 9 "stretch", RedHat 7 - (added curve25519-sha256)
• 7.6: Ubuntu 18.04 "bionic"
• 7.7:
• 7.8:
• 7.9: Debian 10 "buster"
• 8.0: RedHat 8
• 8.1: Suse 15.2
• 8.2: Ubuntu 20.04 "focal"
• 8.3:
• 8.4: Debian 11 "bullseye", Fedora 33, Suse 15.3
• 8.5:
• 8.6: Fedora 34
• 8.7: Fedora 35
• 8.8: Archlinux, Voidlinux

License

AGPL3.0-or-later

Author Information

• Sven Velt sven-ansiblerole@velt.biz
• https://git.velt.biz/