From 97847cc1d4fb4f5b2569ba8a99cf7a52b29bfd90 Mon Sep 17 00:00:00 2001 From: L3D Date: Tue, 9 Apr 2019 22:03:00 +0200 Subject: [PATCH] Make sure ssh is more secure and more customizable --- defaults/main.yml | 8 +++++++- tasks/main.yml | 33 +++++++++++++++++++++++++++++++++ templates/sshd_config | 10 +++++++--- 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index de97122..b52fedf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,6 +13,12 @@ sshd_default_allowed_groups: # Enable AllowUsers and AllowGroups options restrict_allow_users: True +# Require ed25519 key +only_allow_ed25519: true + # Allow login with password? sshd_password_authentication: 'no' # 'yes' or 'no' - + +# Allow optional cryptho methods (NOT RECOMENDED) +generate_ecdsa_too: false +use_diffie-hellman-group-exchange-sha256: false diff --git a/tasks/main.yml b/tasks/main.yml index e42380f..d5ce0ef 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,6 +29,15 @@ notify: - restart ssh +- name: Generate new ecdsa ssh host key pair if necessary + become: yes + command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q + args: + chdir: '/etc/ssh/' + creates: 'ssh_host_ecdsa_key.pub' + notify: + - restart ssh + when: generate_ecdsa_too - name: Generate new ed25519 ssh host key pair if necessary become: yes @@ -39,6 +48,18 @@ notify: - restart ssh +- name: Remove unwanted host keys + become: yes + file: + path: '/etc/ssh/ssh_host_{{ item }}_key' + state: absent + with_items: + - rsa + - dsa + notify: + - restart ssh + when: generate_ecdsa_too + - name: Remove unwanted host keys become: yes file: @@ -50,6 +71,7 @@ - dsa notify: - restart ssh + when: generate_ecdsa_too == false - file: path: '/etc/ssh/ssh_host_{{ item }}_key.pub' @@ -61,4 +83,15 @@ - dsa notify: - restart ssh + when: generate_ecdsa_too == false +- file: + path: '/etc/ssh/ssh_host_{{ item }}_key.pub' + state: absent + become: yes + with_items: + - rsa + - dsa + notify: + - restart ssh + when: generate_ecdsa_too diff --git a/templates/sshd_config b/templates/sshd_config index fff9ca5..770d5aa 100644 --- a/templates/sshd_config +++ b/templates/sshd_config @@ -10,13 +10,16 @@ TCPKeepAlive yes # Key exchange #KexAlgorithms curve25519-sha256@libssh.org, # diffie-hellman-group-exchange-sha256 -KexAlgorithms curve25519-sha256@libssh.org +KexAlgorithms curve25519-sha256@libssh.org{% +if use_diffie-hellman-group-exchange-sha256 %},diffie-hellman-group-exchange-sha256{% endif %} # Server authentication Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key - +{% if generate_ecdsa_too %} +HostKey /etc/ssh/ssh_host_ecdsa_key +{% endif %} # Not available in openssh 6.7 # HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 @@ -43,7 +46,8 @@ LoginGraceTime 120 StrictModes yes # Not available in openssh 6.7 -# PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 +{% if only_allow_ed25519 == false %}# {% +endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Symmetric ciphers