From 5cf0f9181191474907c3083776a462c80de2bc4c Mon Sep 17 00:00:00 2001
From: seven beep <ebn@entreparentheses.xyz>
Date: Fri, 6 Sep 2024 18:03:50 +0200
Subject: [PATCH] Provide granular noop for shh configuration

We would like to have more fine grained options on applying or not specific configurations.

This commit let the user choose to noop some configuration with a few new
boolean variables.

Motivation for theses options are we may configure ourselves some (ssh host key
regeneration in a templating system) or we are not ready for others (ssh_kex
will break dist-upgrades, letting the operator without ssh).

Signed-off-by: seven beep <ebn@entreparentheses.xyz>
---
 roles/ssh_hardening/README.md                 | 20 +++++++++++++++++++
 roles/ssh_hardening/defaults/main.yml         |  7 +++++++
 roles/ssh_hardening/meta/argument_specs.yml   | 16 +++++++++++++++
 roles/ssh_hardening/tasks/hardening.yml       | 13 +++++++++---
 .../ssh_hardening/templates/opensshd.conf.j2  |  8 ++++----
 5 files changed, 57 insertions(+), 7 deletions(-)

diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
index 394169c3..94d8580c 100644
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@@ -138,6 +138,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM).
   - Type: bool
   - Required: no
+- `ssh_ciphers_config`
+  - Default: `true`
+  - Description: Whether or not configuring the ciphers of the server.
+  - Type: bool
+  - Required: no
 - `ssh_ciphers`
   - Default: ``
   - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
@@ -238,6 +243,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Host certificates to look for when starting sshd
   - Type: list
   - Required: no
+- `ssh_host_key_config`
+  - Default: `true`
+  - Description: Whether or not configuring the host keys of that the server offers.
+  - Type: bool
+  - Required: no
 - `ssh_host_key_algorithms`
   - Default: ``
   - Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
@@ -258,6 +268,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Set to `true` if SSH has Kerberos support.
   - Type: bool
   - Required: no
+- `ssh_kex_config`
+  - Default: `true`
+  - Description: Whether or not configuring the kexs of the server.
+  - Type: bool
+  - Required: no
 - `ssh_kex`
   - Default: ``
   - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
@@ -273,6 +288,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: specifies the time allowed for successful authentication to the SSH server.
   - Type: str
   - Required: no
+- `ssh_macs_config`
+  - Default: `true`
+  - Description: Whether or not configuring the macs of the server.
+  - Type: bool
+  - Required: no
 - `ssh_macs`
   - Default: ``
   - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
index d70b8da6..e34f447b 100644
--- a/roles/ssh_hardening/defaults/main.yml
+++ b/roles/ssh_hardening/defaults/main.yml
@@ -40,6 +40,9 @@ ssh_client_port: "22" # ssh
 # Default is empty, but should be configured for security reasons!
 ssh_listen_to: [0.0.0.0] # sshd
 
+# Whether or not configuring and generating the host keys files
+ssh_host_key_config: true # sshd
+
 # Host keys to look for when starting sshd.
 ssh_host_key_files: [] # sshd
 
@@ -206,6 +209,10 @@ ssh_max_startups: 10:30:60 # sshd
 
 ssh_ps59: sandbox
 
+# Whether or not configuring the macs, cihers and kex algorithms
+ssh_macs_config: true      # sshd
+ssh_ciphers_config: true
+ssh_kex_config: true
 ssh_macs: []
 ssh_ciphers: []
 ssh_kex: []
diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml
index 243768d8..42439604 100644
--- a/roles/ssh_hardening/meta/argument_specs.yml
+++ b/roles/ssh_hardening/meta/argument_specs.yml
@@ -28,6 +28,10 @@ argument_specs:
         description: one or more ip addresses, to which ssh-server should listen to.
           Default is all IPv4 addresses, but should be configured to specific addresses
           for security reasons
+      ssh_host_key_config:
+        default: true
+        type: bool
+        description: Whether or not configuring the host keys of that the server offers.
       ssh_host_key_files:
         default: []
         type: list
@@ -317,14 +321,26 @@ argument_specs:
         default: 10:30:60
         description: Specifies the maximum number of concurrent unauthenticated connections
           to the SSH daemon.
+      ssh_macs_config:
+        default: true
+        description: Whether or not configuring the macs of the server.
+        type: bool
       ssh_macs:
         default: []
         type: list
         description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
+      ssh_kex_config:
+        default: true
+        description: Whether or not configuring the kexs of the server.
+        type: bool
       ssh_kex:
         default: []
         type: list
         description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
+      ssh_ciphers_config:
+        default: true
+        description: Whether or not configuring the ciphers of the server.
+        type: bool
       ssh_ciphers:
         default: []
         type: list
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
index 3b09c5c3..0b3843de 100644
--- a/roles/ssh_hardening/tasks/hardening.yml
+++ b/roles/ssh_hardening/tasks/hardening.yml
@@ -39,19 +39,26 @@
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when:
     - ssh_server_hardening | bool
+    - ssh_host_key_config
     - not ssh_host_key_files
 
 - name: Set default for ssh_macs if not supplied
   ansible.builtin.include_tasks: crypto_macs.yml
-  when: not ssh_macs
+  when:
+    - ssh_macs_config
+    - not ssh_macs
 
 - name: Set default for ssh_ciphers if not supplied
   ansible.builtin.include_tasks: crypto_ciphers.yml
-  when: not ssh_ciphers
+  when:
+    - ssh_ciphers_config
+    - not ssh_ciphers
 
 - name: Set default for ssh_kex if not supplied
   ansible.builtin.include_tasks: crypto_kex.yml
-  when: not ssh_kex
+  when:
+    - ssh_kex_config
+    - not ssh_kex
 
 - name: Create revoked_keys and set permissions to root/600
   ansible.builtin.template:
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
index 4ac0e713..fd28ffb4 100644
--- a/roles/ssh_hardening/templates/opensshd.conf.j2
+++ b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -34,7 +34,7 @@ ListenAddress {{ address }}
 {% endfor %}
 
 # HostKeys are listed here.
-{% for key in ssh_host_key_files %}
+{% for key in ssh_host_key_files if ssh_host_key_config%}
 HostKey {{ key }}
 {% endfor %}
 
@@ -73,14 +73,14 @@ LogLevel {{ sshd_log_level }}
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 {# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined -#}
-{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
+{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers and ssh_ciphers_config else 'Ciphers'|comment }}
 
 # **Hash algorithms** -- SHA-1 is formally deprecated by NIST in 2011 because of security issues.
 # Weak HMAC is sometimes required if older package versions are used
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 #
 {# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined -#}
-{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
+{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs and ssh_macs_config else 'MACs'|comment }}
 
 {% if sshd_version is version('5.9', '<') %}
 # Alternative setting, if OpenSSH version is below v5.9
@@ -93,7 +93,7 @@ LogLevel {{ sshd_log_level }}
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 #
 {# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
-{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
+{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex and ssh_kex_config else 'KexAlgorithms'|comment }}
 
 # Authentication
 # --------------