Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

update config of kex, macs, ciphers #179

Merged
merged 15 commits into from
Sep 16, 2018
19 changes: 19 additions & 0 deletions .kitchen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,22 @@ platforms:
driver:
image: rndmh3ro/docker-centos7-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: oracle6-ansible-latest
driver:
image: rndmh3ro/docker-oracle6-ansible:latest
platform: centos
- name: oracle7-ansible-latest
driver:
image: rndmh3ro/docker-oracle7-ansible:latest
run_command: /sbin/init
platform: centos
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: ubuntu1404-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1404-ansible:latest
Expand All @@ -51,6 +59,9 @@ platforms:
driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest
platform: ubuntu
run_command: /sbin/init
provision_command:
- systemctl enable ssh.service
- name: debian7-ansible-latest
driver:
image: rndmh3ro/docker-debian7-ansible:latest
Expand All @@ -63,10 +74,18 @@ platforms:
driver:
image: rndmh3ro/docker-debian9-ansible:latest
platform: debian
run_command: /sbin/init
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: amazon-ansible-latest
driver:
image: rndmh3ro/docker-amazon-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service

verifier:
name: inspec
Expand Down
13 changes: 7 additions & 6 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ env:
version: latest
init: /sbin/init

- distro: oracle7
init: /usr/lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
# - distro: oracle7
# init: /usr/lib/systemd/systemd
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# version: latest

- distro: ubuntu1604
version: latest
Expand All @@ -35,17 +35,18 @@ env:

- distro: debian8
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
init: /sbin/init
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"

- distro: debian9
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"

- distro: amazon
init: /sbin/init
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"

before_install:
# Pull container
Expand Down
11 changes: 3 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
| Name | Default Value | Description |
| -------------- | ------------- | -----------------------------------|
|`network_ipv6_enable` | false |true if IPv6 is needed|
|`ssh_client_cbc_required` | false |true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.|
|`ssh_server_cbc_required` | false |true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.|
|`ssh_client_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
|`ssh_server_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
|`ssh_client_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
|`ssh_server_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
|`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
|`ssh_client_port` | '22' |port to which ssh-client should connect|
|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
Expand Down Expand Up @@ -76,6 +70,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
|`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
|`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
|`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
|`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |

## Example Playbook

Expand Down Expand Up @@ -149,8 +146,6 @@ Always look into log files first and if possible look at the negotation between

We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.

If you find this isn't enough, feel free to activate the attributes `cbc_requires` for ciphers, `weak_hmac` for MACs and `weak_kex`for KEX in the variables `ssh_client` or `ssh_server` based on where you want to support them.

**After using the role Ansibles template/copy/file module does not work anymore!**

This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set `scp_if_ssh = True` in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting `sftp_enabled` to `true`.
Expand Down
28 changes: 4 additions & 24 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,18 +14,6 @@ ssh_compression: false # sshd
ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd

# true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
ssh_client_cbc_required: false # ssh
ssh_server_cbc_required: false # sshd

# true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
ssh_client_weak_hmac: false # ssh
ssh_server_weak_hmac: false # sshd

# true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
ssh_client_weak_kex: false # ssh
ssh_server_weak_kex: false # sshd

# If true, password login is allowed
ssh_client_password_login: false # ssh
ssh_server_password_login: false # sshd
Expand Down Expand Up @@ -184,8 +172,6 @@ ssh_macs_59_default:
- hmac-sha2-256
- hmac-ripemd160

ssh_macs_59_weak: "{{ ssh_macs_59_default + ['hmac-sha1'] }}"

ssh_macs_66_default:
- [email protected]
- [email protected]
Expand All @@ -200,15 +186,11 @@ ssh_macs_76_default:
- hmac-sha2-512
- hmac-sha2-256

ssh_macs_66_weak: "{{ ssh_macs_66_default + ['hmac-sha1'] }}"

ssh_ciphers_53_default:
- aes256-ctr
- aes192-ctr
- aes128-ctr

ssh_ciphers_53_weak: "{{ ssh_ciphers_53_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"

ssh_ciphers_66_default:
- [email protected]
- [email protected]
Expand All @@ -217,19 +199,13 @@ ssh_ciphers_66_default:
- aes192-ctr
- aes128-ctr

ssh_ciphers_66_weak: "{{ ssh_ciphers_66_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"

ssh_kex_59_default:
- diffie-hellman-group-exchange-sha256

ssh_kex_59_weak: "{{ ssh_kex_59_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"

ssh_kex_66_default:
- [email protected]
- diffie-hellman-group-exchange-sha256

ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"

# directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies'

Expand All @@ -241,3 +217,7 @@ ssh_challengeresponseauthentication: false

# a list of public keys that are never accepted by the ssh server
ssh_server_revoked_keys: []

# Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism.
ssh_hardening_enabled: true
1 change: 1 addition & 0 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
- name: restart sshd
service: name={{ sshd_service_name }} state=restarted
when: "(ssh_server_enabled|bool)"
become: yes
Loading