From 3d22817eff38b46a569756c85551d47de5cec001 Mon Sep 17 00:00:00 2001 From: Raoul Date: Wed, 7 Mar 2018 03:28:23 +0100 Subject: [PATCH] Simple and secure openssh server configuration --- defaults/main.yml | 7 ++++ handlers/main.yml | 5 +++ readme.md | 20 ++++++++++++ tasks/main.yml | 26 +++++++++++++++ templates/sshd_config | 75 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 133 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 readme.md create mode 100644 tasks/main.yml create mode 100644 templates/sshd_config diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..6b046c9 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,7 @@ +# List of users for the 'AllowUsers' keyword +sshd_allow_users: + - root + +# List of groups for the 'AllowGroups' keyword +sshd_allow_groups: + - root diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..822887e --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart ssh + service: + name: ssh + state: restarted diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..8091524 --- /dev/null +++ b/readme.md @@ -0,0 +1,20 @@ +OpenSSH Server +============== + +Ansible role to configure the OpenSSH `ssh` server. + + +Variables +--------- + +* `sshd_allow_users` (default `[root]`): + List of users for the `AllowUsers` keyword + +* `sshd_allow_groups` (default `[root]`): + List of groups for the `AllowGroups` keyword + + +References +---------- + +* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html) diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..24202f5 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Copy sshd configuration + template: + src: sshd_config + dest: '/etc/ssh/sshd_config' + owner: root + group: root + mode: 'u=rw,g=r,o=r' + validate: /usr/sbin/sshd -t -f %s + + +- name: Remove unwanted host keys + file: + path: '/etc/ssh/ssh_host_{{ item }}_key' + state: absent + with_items: + - ecdsa + - rsa + - dsa +- file: + path: '/etc/ssh/ssh_host_{{ item }}_key.pub' + state: absent + with_items: + - ecdsa + - rsa + - dsa diff --git a/templates/sshd_config b/templates/sshd_config new file mode 100644 index 0000000..bfd5827 --- /dev/null +++ b/templates/sshd_config @@ -0,0 +1,75 @@ +# Networking +Port 22 + +TCPKeepAlive yes + + +# Key exchange +#KexAlgorithms curve25519-sha256@libssh.org, +# diffie-hellman-group-exchange-sha256 +KexAlgorithms curve25519-sha256@libssh.org + + +# Server authentication +Protocol 2 +HostKey /etc/ssh/ssh_host_ed25519_key + +# Not available in openssh 6.7 +# HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 + +# Client authentication +PasswordAuthentication no +ChallengeResponseAuthentication no +PubkeyAuthentication yes + +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + + +# User Authentication +AllowUsers {{ sshd_allow_users|join(' ') }} +AllowGroups {{ sshd_allow_groups|join(' ') }} +PermitRootLogin without-password + +LoginGraceTime 120 + +StrictModes yes + +# Not available in openssh 6.7 +# PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 + + +# Symmetric ciphers +#Ciphers chacha20-poly1305@openssh.com, +# aes256-gcm@openssh.com, +# aes128-gcm@openssh.com, +# aes256-ctr, +# aes192-ctr, +# aes128-ctr +Ciphers chacha20-poly1305@openssh.com + + +# Message authentication codes +#MACs hmac-sha2-512-etm@openssh.com, +# hmac-sha2-256-etm@openssh.com, +# hmac-ripemd160-etm@openssh.com, +# umac-128-etm@openssh.com, +# hmac-sha2-512, +# hmac-sha2-256, +# hmac-ripemd160, +# umac-128@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +PrintMotd no + +# sftp (required by ansible) +Subsystem sftp /usr/lib/openssh/sftp-server + + +# ETC