From f5ba9a3bca86a61da62833b92c2a9a7ae36fcd02 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 12 Mar 2021 21:24:41 +0200
Subject: [PATCH] SSH security.

- Single configuration for the OpenSSH daemon (both on Debian and
  OpenBSD systems).
- The ssh-rsa signature scheme is being deprected (see the OpenSSH 8.5
  release notes for more details). Remove it everywhere.
---
 roles/debian_server/handlers/main.yml |  5 +++++
 roles/debian_server/tasks/main.yml    | 18 +++++-----------
 roles/router/tasks/main.yaml          | 17 +++------------
 tasks/sshd_config.yaml                | 31 +++++++++++++++++++++++++++
 4 files changed, 44 insertions(+), 27 deletions(-)
 create mode 100644 tasks/sshd_config.yaml

diff --git a/roles/debian_server/handlers/main.yml b/roles/debian_server/handlers/main.yml
index a643629..b768334 100644
--- a/roles/debian_server/handlers/main.yml
+++ b/roles/debian_server/handlers/main.yml
@@ -10,3 +10,8 @@
 - name: Update GRUB
   command:
     cmd: update-grub
+
+- name: Restart the SSH daemon
+  service:
+    name: ssh
+    state: restarted
diff --git a/roles/debian_server/tasks/main.yml b/roles/debian_server/tasks/main.yml
index ece8e1b..0a4df56 100644
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -106,19 +106,11 @@
     state: present
     value: "640000"
 
-- name: Secure SSH
-  with_dict:
-    PermitRootLogin: !!str no
-    PasswordAuthentication: !!str no
-  lineinfile:
-    backup: true
-    line: |-
-      {{ item.key }} {{ item.value }}
-    path: /etc/ssh/sshd_config
-    regexp: |-
-      {{ item.key }}
-    state: present
-    validate: sshd -Tf %s
+- name: Configure the SSH daemon
+  include_tasks:
+    file: '{{ playbook_dir }}/tasks/sshd_config.yaml'
+  tags:
+    - always
 
 - name: Make /tmp a tmpfs mount
   ansible.posix.mount:
diff --git a/roles/router/tasks/main.yaml b/roles/router/tasks/main.yaml
index da3f517..52c5e20 100644
--- a/roles/router/tasks/main.yaml
+++ b/roles/router/tasks/main.yaml
@@ -479,21 +479,10 @@
     - syspatch
 
 - name: Configure the SSH daemon
-  with_dict:
-    PermitRootLogin: 'no'
-    PasswordAuthentication: 'no'
-    KexAlgorithms: '-diffie-hellman-group14-sha1'
-    # yamllint disable-line rule:line-length
-    MACs: '-hmac-sha1,umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com'
-  lineinfile:
-    line: '{{ item.key }} {{ item.value }}'
-    path: /etc/ssh/sshd_config
-    regexp: '{{ item.key }}'
-    validate: sshd -Tf %s
-  notify:
-    - Restart the SSH daemon
+  include_tasks:
+    file: '{{ playbook_dir }}/tasks/sshd_config.yaml'
   tags:
-    - ssh
+    - always
 
 # yamllint disable-line rule:line-length
 - name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches).
diff --git a/tasks/sshd_config.yaml b/tasks/sshd_config.yaml
new file mode 100644
index 0000000..c0435d0
--- /dev/null
+++ b/tasks/sshd_config.yaml
@@ -0,0 +1,31 @@
+---
+- name: Configure the SSH daemon
+  with_dict:
+    CASignatureAlgorithms: >-
+      -ssh-rsa
+    HostbasedAcceptedKeyTypes: >-
+      -ssh-rsa
+    HostKeyAlgorithms: >-
+      -ssh-rsa
+    KexAlgorithms: >-
+      -diffie-hellman-group14-sha1
+    MACs: >-
+      -hmac-sha1,
+      umac-64-etm@openssh.com,
+      hmac-sha1-etm@openssh.com,
+      umac-64@openssh.com
+    PermitRootLogin: !!str no
+    PasswordAuthentication: !!str no
+    PubkeyAcceptedKeyTypes: >-
+      -ssh-rsa,
+      ssh-rsa-cert-v01@openssh.com
+  lineinfile:
+    backup: true
+    line: '{{ item.key }} {{ item.value|replace(" ", "") }}'
+    path: /etc/ssh/sshd_config
+    regexp: '{{ item.key }}'
+    validate: sshd -Tf %s
+  notify:
+    - Restart the SSH daemon
+  tags:
+    - ssh
-- 
GitLab