Skip to content
Snippets Groups Projects
Commit f5ba9a3b authored by nimrod's avatar nimrod
Browse files

SSH security.

- Single configuration for the OpenSSH daemon (both on Debian and
  OpenBSD systems).
- The ssh-rsa signature scheme is being deprected (see the OpenSSH 8.5
  release notes for more details). Remove it everywhere.
parent 9f55919e
Branches
No related tags found
No related merge requests found
...@@ -10,3 +10,8 @@ ...@@ -10,3 +10,8 @@
- name: Update GRUB - name: Update GRUB
command: command:
cmd: update-grub cmd: update-grub
- name: Restart the SSH daemon
service:
name: ssh
state: restarted
...@@ -106,19 +106,11 @@ ...@@ -106,19 +106,11 @@
state: present state: present
value: "640000" value: "640000"
- name: Secure SSH - name: Configure the SSH daemon
with_dict: include_tasks:
PermitRootLogin: !!str no file: '{{ playbook_dir }}/tasks/sshd_config.yaml'
PasswordAuthentication: !!str no tags:
lineinfile: - always
backup: true
line: |-
{{ item.key }} {{ item.value }}
path: /etc/ssh/sshd_config
regexp: |-
{{ item.key }}
state: present
validate: sshd -Tf %s
- name: Make /tmp a tmpfs mount - name: Make /tmp a tmpfs mount
ansible.posix.mount: ansible.posix.mount:
......
...@@ -479,21 +479,10 @@ ...@@ -479,21 +479,10 @@
- syspatch - syspatch
- name: Configure the SSH daemon - name: Configure the SSH daemon
with_dict: include_tasks:
PermitRootLogin: 'no' file: '{{ playbook_dir }}/tasks/sshd_config.yaml'
PasswordAuthentication: 'no'
KexAlgorithms: '-diffie-hellman-group14-sha1'
# yamllint disable-line rule:line-length
MACs: '-hmac-sha1,umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com'
lineinfile:
line: '{{ item.key }} {{ item.value }}'
path: /etc/ssh/sshd_config
regexp: '{{ item.key }}'
validate: sshd -Tf %s
notify:
- Restart the SSH daemon
tags: tags:
- ssh - always
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
- name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches). - name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches).
......
---
- name: Configure the SSH daemon
with_dict:
CASignatureAlgorithms: >-
-ssh-rsa
HostbasedAcceptedKeyTypes: >-
-ssh-rsa
HostKeyAlgorithms: >-
-ssh-rsa
KexAlgorithms: >-
-diffie-hellman-group14-sha1
MACs: >-
-hmac-sha1,
umac-64-etm@openssh.com,
hmac-sha1-etm@openssh.com,
umac-64@openssh.com
PermitRootLogin: !!str no
PasswordAuthentication: !!str no
PubkeyAcceptedKeyTypes: >-
-ssh-rsa,
ssh-rsa-cert-v01@openssh.com
lineinfile:
backup: true
line: '{{ item.key }} {{ item.value|replace(" ", "") }}'
path: /etc/ssh/sshd_config
regexp: '{{ item.key }}'
validate: sshd -Tf %s
notify:
- Restart the SSH daemon
tags:
- ssh
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment