diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index 394169c3..81a9cf7b 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -140,7 +140,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec - Required: no - `ssh_ciphers` - Default: `` - - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` + - Description: Change this list to overwrite ciphers. If false this configuration will be skipped. Defaults found in `defaults/main.yml` - Type: list - Required: no - `ssh_client_alive_count` @@ -240,7 +240,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec - Required: no - `ssh_host_key_algorithms` - Default: `` - - Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version + - Description: Host key algorithms that the server offers. If empty the default list will be used. If false this configuration will be skipped. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version - Type: list - Required: no - `ssh_host_key_files` @@ -260,7 +260,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec - Required: no - `ssh_kex` - Default: `` - - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` + - Description: Change this list to overwrite kexs. If false this configuration will be skipped. Defaults found in `defaults/main.yml` - Type: list - Required: no - `ssh_listen_to` @@ -275,7 +275,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec - Required: no - `ssh_macs` - Default: `` - - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + - Description: Change this list to overwrite macs. If false this configuration will be skipped. Defaults found in `defaults/main.yml` - Type: list - Required: no - `ssh_max_auth_retries` diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml index d70b8da6..c4fb2160 100644 --- a/roles/ssh_hardening/defaults/main.yml +++ b/roles/ssh_hardening/defaults/main.yml @@ -41,7 +41,7 @@ ssh_client_port: "22" # ssh ssh_listen_to: [0.0.0.0] # sshd # Host keys to look for when starting sshd. -ssh_host_key_files: [] # sshd +ssh_host_key_files: none # sshd # Host RSA key size in bits ssh_host_rsa_key_size: 4096 # sshd @@ -206,9 +206,9 @@ ssh_max_startups: 10:30:60 # sshd ssh_ps59: sandbox -ssh_macs: [] -ssh_ciphers: [] -ssh_kex: [] +ssh_macs: none +ssh_ciphers: none +ssh_kex: none # directory where to store ssh_password policy ssh_custom_selinux_dir: /etc/selinux/local-policies diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml index 3b09c5c3..4c25884b 100644 --- a/roles/ssh_hardening/tasks/hardening.yml +++ b/roles/ssh_hardening/tasks/hardening.yml @@ -35,23 +35,23 @@ ansible.builtin.set_fact: sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}" -- name: Set default for ssh_host_key_files if not supplied +- name: Set default for ssh_host_key_files if none ansible.builtin.include_tasks: crypto_hostkeys.yml when: - ssh_server_hardening | bool - - not ssh_host_key_files + - ssh_host_key_files is none -- name: Set default for ssh_macs if not supplied +- name: Set default for ssh_macs if none ansible.builtin.include_tasks: crypto_macs.yml - when: not ssh_macs + when: ssh_macs is none -- name: Set default for ssh_ciphers if not supplied +- name: Set default for ssh_ciphers if none ansible.builtin.include_tasks: crypto_ciphers.yml - when: not ssh_ciphers + when: ssh_ciphers is none -- name: Set default for ssh_kex if not supplied +- name: Set default for ssh_kex if none ansible.builtin.include_tasks: crypto_kex.yml - when: not ssh_kex + when: ssh_kex is none - name: Create revoked_keys and set permissions to root/600 ansible.builtin.template: