From f5ba9a3bca86a61da62833b92c2a9a7ae36fcd02 Mon Sep 17 00:00:00 2001 From: Adar Nimrod <nimrod@shore.co.il> Date: Fri, 12 Mar 2021 21:24:41 +0200 Subject: [PATCH] SSH security. - Single configuration for the OpenSSH daemon (both on Debian and OpenBSD systems). - The ssh-rsa signature scheme is being deprected (see the OpenSSH 8.5 release notes for more details). Remove it everywhere. --- roles/debian_server/handlers/main.yml | 5 +++++ roles/debian_server/tasks/main.yml | 18 +++++----------- roles/router/tasks/main.yaml | 17 +++------------ tasks/sshd_config.yaml | 31 +++++++++++++++++++++++++++ 4 files changed, 44 insertions(+), 27 deletions(-) create mode 100644 tasks/sshd_config.yaml diff --git a/roles/debian_server/handlers/main.yml b/roles/debian_server/handlers/main.yml index a643629..b768334 100644 --- a/roles/debian_server/handlers/main.yml +++ b/roles/debian_server/handlers/main.yml @@ -10,3 +10,8 @@ - name: Update GRUB command: cmd: update-grub + +- name: Restart the SSH daemon + service: + name: ssh + state: restarted diff --git a/roles/debian_server/tasks/main.yml b/roles/debian_server/tasks/main.yml index ece8e1b..0a4df56 100644 --- a/roles/debian_server/tasks/main.yml +++ b/roles/debian_server/tasks/main.yml @@ -106,19 +106,11 @@ state: present value: "640000" -- name: Secure SSH - with_dict: - PermitRootLogin: !!str no - PasswordAuthentication: !!str no - lineinfile: - backup: true - line: |- - {{ item.key }} {{ item.value }} - path: /etc/ssh/sshd_config - regexp: |- - {{ item.key }} - state: present - validate: sshd -Tf %s +- name: Configure the SSH daemon + include_tasks: + file: '{{ playbook_dir }}/tasks/sshd_config.yaml' + tags: + - always - name: Make /tmp a tmpfs mount ansible.posix.mount: diff --git a/roles/router/tasks/main.yaml b/roles/router/tasks/main.yaml index da3f517..52c5e20 100644 --- a/roles/router/tasks/main.yaml +++ b/roles/router/tasks/main.yaml @@ -479,21 +479,10 @@ - syspatch - name: Configure the SSH daemon - with_dict: - PermitRootLogin: 'no' - PasswordAuthentication: 'no' - KexAlgorithms: '-diffie-hellman-group14-sha1' - # yamllint disable-line rule:line-length - MACs: '-hmac-sha1,umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com' - lineinfile: - line: '{{ item.key }} {{ item.value }}' - path: /etc/ssh/sshd_config - regexp: '{{ item.key }}' - validate: sshd -Tf %s - notify: - - Restart the SSH daemon + include_tasks: + file: '{{ playbook_dir }}/tasks/sshd_config.yaml' tags: - - ssh + - always # yamllint disable-line rule:line-length - name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches). diff --git a/tasks/sshd_config.yaml b/tasks/sshd_config.yaml new file mode 100644 index 0000000..c0435d0 --- /dev/null +++ b/tasks/sshd_config.yaml @@ -0,0 +1,31 @@ +--- +- name: Configure the SSH daemon + with_dict: + CASignatureAlgorithms: >- + -ssh-rsa + HostbasedAcceptedKeyTypes: >- + -ssh-rsa + HostKeyAlgorithms: >- + -ssh-rsa + KexAlgorithms: >- + -diffie-hellman-group14-sha1 + MACs: >- + -hmac-sha1, + umac-64-etm@openssh.com, + hmac-sha1-etm@openssh.com, + umac-64@openssh.com + PermitRootLogin: !!str no + PasswordAuthentication: !!str no + PubkeyAcceptedKeyTypes: >- + -ssh-rsa, + ssh-rsa-cert-v01@openssh.com + lineinfile: + backup: true + line: '{{ item.key }} {{ item.value|replace(" ", "") }}' + path: /etc/ssh/sshd_config + regexp: '{{ item.key }}' + validate: sshd -Tf %s + notify: + - Restart the SSH daemon + tags: + - ssh -- GitLab