Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide granular noop for shh configuration #789

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Provide granular noop for shh configuration #789

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions roles/ssh_hardening/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM).
- Type: bool
- Required: no
- `ssh_ciphers_config`
- Default: `true`
- Description: Whether or not configuring the ciphers of the server.
- Type: bool
- Required: no
- `ssh_ciphers`
- Default: ``
- Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
Expand Down Expand Up @@ -238,6 +243,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Description: Host certificates to look for when starting sshd
- Type: list
- Required: no
- `ssh_host_key_config`
- Default: `true`
- Description: Whether or not configuring the host keys of that the server offers.
- Type: bool
- Required: no
- `ssh_host_key_algorithms`
- Default: ``
- Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
Expand All @@ -258,6 +268,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Description: Set to `true` if SSH has Kerberos support.
- Type: bool
- Required: no
- `ssh_kex_config`
- Default: `true`
- Description: Whether or not configuring the kexs of the server.
- Type: bool
- Required: no
- `ssh_kex`
- Default: ``
- Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
Expand All @@ -273,6 +288,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
- Description: specifies the time allowed for successful authentication to the SSH server.
- Type: str
- Required: no
- `ssh_macs_config`
- Default: `true`
- Description: Whether or not configuring the macs of the server.
- Type: bool
- Required: no
- `ssh_macs`
- Default: ``
- Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
Expand Down
7 changes: 7 additions & 0 deletions roles/ssh_hardening/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ ssh_client_port: "22" # ssh
# Default is empty, but should be configured for security reasons!
ssh_listen_to: [0.0.0.0] # sshd

# Whether or not configuring and generating the host keys files
ssh_host_key_config: true # sshd

# Host keys to look for when starting sshd.
ssh_host_key_files: [] # sshd

Expand Down Expand Up @@ -206,6 +209,10 @@ ssh_max_startups: 10:30:60 # sshd

ssh_ps59: sandbox

# Whether or not configuring the macs, cihers and kex algorithms
ssh_macs_config: true # sshd
ssh_ciphers_config: true
ssh_kex_config: true
ssh_macs: []
ssh_ciphers: []
ssh_kex: []
Expand Down
16 changes: 16 additions & 0 deletions roles/ssh_hardening/meta/argument_specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ argument_specs:
description: one or more ip addresses, to which ssh-server should listen to.
Default is all IPv4 addresses, but should be configured to specific addresses
for security reasons
ssh_host_key_config:
default: true
type: bool
description: Whether or not configuring the host keys of that the server offers.
ssh_host_key_files:
default: []
type: list
Expand Down Expand Up @@ -317,14 +321,26 @@ argument_specs:
default: 10:30:60
description: Specifies the maximum number of concurrent unauthenticated connections
to the SSH daemon.
ssh_macs_config:
default: true
description: Whether or not configuring the macs of the server.
type: bool
ssh_macs:
default: []
type: list
description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
ssh_kex_config:
default: true
description: Whether or not configuring the kexs of the server.
type: bool
ssh_kex:
default: []
type: list
description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
ssh_ciphers_config:
default: true
description: Whether or not configuring the ciphers of the server.
type: bool
ssh_ciphers:
default: []
type: list
Expand Down
13 changes: 10 additions & 3 deletions roles/ssh_hardening/tasks/hardening.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,19 +39,26 @@
ansible.builtin.include_tasks: crypto_hostkeys.yml
when:
- ssh_server_hardening | bool
- ssh_host_key_config
- not ssh_host_key_files

- name: Set default for ssh_macs if not supplied
ansible.builtin.include_tasks: crypto_macs.yml
when: not ssh_macs
when:
- ssh_macs_config
- not ssh_macs

- name: Set default for ssh_ciphers if not supplied
ansible.builtin.include_tasks: crypto_ciphers.yml
when: not ssh_ciphers
when:
- ssh_ciphers_config
- not ssh_ciphers

- name: Set default for ssh_kex if not supplied
ansible.builtin.include_tasks: crypto_kex.yml
when: not ssh_kex
when:
- ssh_kex_config
- not ssh_kex

- name: Create revoked_keys and set permissions to root/600
ansible.builtin.template:
Expand Down
8 changes: 4 additions & 4 deletions roles/ssh_hardening/templates/opensshd.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ ListenAddress {{ address }}
{% endfor %}

# HostKeys are listed here.
{% for key in ssh_host_key_files %}
{% for key in ssh_host_key_files if ssh_host_key_config%}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do something like {{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers and ssh_ciphers_config else 'Ciphers'|comment }} here, too?

HostKey {{ key }}
{% endfor %}

Expand Down Expand Up @@ -73,14 +73,14 @@ LogLevel {{ sshd_log_level }}
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#
{# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined -#}
{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers and ssh_ciphers_config else 'Ciphers'|comment }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and the changes for MACs and Kex shouldn't be needed since ssh_ciphers can only be set in two ways:

  • define it as a variable, then ansible.builtin.include_tasks: crypto_ciphers.yml won't be run.
  • by the tasks in ansible.builtin.include_tasks: crypto_ciphers.yml

Or is there something I am missing where we want to define Ciphers but not actually configure them?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually on main we have :

  • If I don't define them as a variable, the tasks crypto_ciphers.yml will define them for me and the template will use the defaults and hardcode them in the configuration file.
  • If I define them as a non true variable, the same apply as I wasn't defining them.
  • If I define them as a variable, the template will use this variable and hardcode them in the configuration file.

So what about if I doesn't want to define Ciphers and does not want to configure them ?


# **Hash algorithms** -- SHA-1 is formally deprecated by NIST in 2011 because of security issues.
# Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
#
{# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined -#}
{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs and ssh_macs_config else 'MACs'|comment }}

{% if sshd_version is version('5.9', '<') %}
# Alternative setting, if OpenSSH version is below v5.9
Expand All @@ -93,7 +93,7 @@ LogLevel {{ sshd_log_level }}
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
#
{# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex and ssh_kex_config else 'KexAlgorithms'|comment }}

# Authentication
# --------------
Expand Down