ssh-hardening/README.md

ssh-hardening
=========

SSH server hardening, based on https://www.sshaudit.com & more

Requirements
------------

- OpenSSH versions 6.5+

Role Variables
--------------

Defaults:
- `ssh_hardening_hostkeys`: `rsa`, `ed25519`
- `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519`
- `ssh_hardening_moduli`: `/etc/ssh/moduli`
- `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened`
- `ssh_hardening_service_name`: `sshd`
- `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config`

Included via `vars/ssh_*`:
- `ssh_hardening_opts`: Parameter/Values to set for specific SSH version

Included via `vars/os_*`:
- `ssh_hardening_service_name`

Command line variables (undefined):
- `ssh_hardening_force`: version/id to include, overwrites detected version!

Dependencies
------------

- None

Example Playbook
----------------

    - hosts: servers
      roles:
         - { role: ssh-hardening }

SSH versions
------------
- 6.0: [_] Debian 7 "wheezy"
- 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
- 6.6: Ubuntu 14.04 "trusty"
- 6.7: [_] Debian 8 "jessie"
- 7.0:
- 7.1:
- 7.2: Ubuntu 16.04 "xenial"
- 7.4: Debian 9 "stretch", RedHat 7 - (added `curve25519-sha256`)
- 7.6: Ubuntu 18.04 "bionic"
- 7.7:
- 7.8:
- 7.9: Debian 10 "buster"
- 8.0: RedHat 8
- 8.1: Suse 15.2
- 8.2: Ubuntu 20.04 "focal"
- 8.3:
- 8.4: Alpine 3.13, Debian 11 "bullseye", Fedora 33, OpenSUSE 15.3/15.4
- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
- 8.6: Alpine 3.14, Fedora 34
- 8.7: Fedora 35
- 8.8: Alpine 3.15, Fedora 36, Fedora 37
- 8.9: Ubuntu 22.04 "jammy"
- 9.0: Alpine 3.16, Ubuntu 22.10 "kinetic", Ubuntu 23.04 "lunar"
- 9.1: Alpine 3.17
- 9.2: Debian 12 "bookworm"
- 9.3: Alpine 3.18, Ubuntu 23.10 "mantic"
- 9.4: Archlinux, Voidlinux

License
-------

AGPL3.0-or-later

Author Information
------------------

- Sven Velt <sven-ansiblerole@velt.biz>
- https://git.velt.biz/