Merge remote-tracking branch 'upstream/master' into feature/2fa_auth

Author: lazzurs

.kitchen.yml

@@ -9,10 +9,6 @@ driver:
 transport:
   max_ssh_sessions: 5
 
-transport:
-  max_ssh_sessions: 5
-
-
 provisioner:
   name: ansible_playbook
   hosts: all
@@ -26,6 +22,7 @@ provisioner:
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
+  ansible_diff: true
   ansible_extra_flags:
     - "--skip-tags=sysctl"
 

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Change Log
 
+## [4.3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.1) (2017-08-14)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.0...4.3.1)
+
+**Implemented enhancements:**
+
+- Remove duplicate ssh\_use\_dns [\#130](https://github.com/dev-sec/ansible-ssh-hardening/pull/130) ([MagnusEnger](https://github.com/MagnusEnger))
+
+**Fixed bugs:**
+
+- ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129)
+
+**Closed issues:**
+
+- role creates duplicate parameter/values after run [\#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124)
+
+## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.3.0)
+
+**Implemented enhancements:**
+
+- Fix ansible.cfg settings [\#122](https://github.com/dev-sec/ansible-ssh-hardening/pull/122) ([fazlearefin](https://github.com/fazlearefin))
+- Finish 94 [\#116](https://github.com/dev-sec/ansible-ssh-hardening/pull/116) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Merged pull requests:**
+
+- Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
+- Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin))
+
+## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.1.3)
+
 ## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30)
 [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.2.0)
 
@@ -264,4 +295,4 @@
 
 
 
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

README.md

@@ -27,19 +27,21 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
 |`ssh_client_port` | '22' |port to which ssh-client should connect|
 |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
-|`ssh_host_key_files` | ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] |Host keys to look for when starting sshd.|
+|`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
 |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
 |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
 |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
 |`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
+|`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
 |`ssh_use_pam` | false | false to disable pam authentication.|
 |`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.|
 |`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.|
 |`ssh_deny_groups` | '' | if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.|
 |`ssh_allow_groups` | '' | if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.|
+|`ssh_authorized_keys_file` | '' | change default file that contains the public keys that can be used for user authentication.|
 |`ssh_print_motd` | false | false to disable printing of the MOTD|
 |`ssh_print_last_log` | false | false to disable display of last login information|
 |`sftp_enabled` | false | true to enable sftp configuration|
@@ -49,7 +51,22 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
+<<<<<<< HEAD
 |`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
+=======
+|`ssh_banner` | `false` | `true` to print a banner on login |
+|`ssh_client_hardening` | `true` | `false` to stop harden the client |
+|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
+|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. |
+|`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
+|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
+|`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
+|`ssh_server_hardening` | `true` | `false` to stop harden the server |
+|`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
+|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
+>>>>>>> upstream/master
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 
 ## Example Playbook

ansible.cfg

@@ -8,7 +8,8 @@
 # finds first
 
 [defaults]
-ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host}
+ansible_managed = Ansible managed: {file} modified by {uid} on {host}
+roles_path = /vagrant
 
-role_path = /vagrant
+[ssh_connection]
 scp_if_ssh = True

default.yml

@@ -13,20 +13,52 @@
         - "openssh-server"
       ignore_errors: true
     - file: path="/var/run/sshd" state=directory
+    - name: create ssh host keys
+      command: "ssh-keygen -A"
+      when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7')
+
   roles:
     - ansible-ssh-hardening
   vars:
     network_ipv6_enable: true
     ssh_allow_root_with_key: true
+    ssh_allow_tcp_forwarding: true
+    ssh_gateway_ports: true
+    ssh_allow_agent_forwarding: true
+    ssh_server_permit_environment_vars: ['PWD','HTTP_PROXY']
+    ssh_client_alive_interval: 100
+    ssh_client_alive_count: 10
     ssh_client_password_login: true
     ssh_client_cbc_required: true
-    ssh_server_weak_hmac: true
     ssh_client_weak_kex: true
+    ssh_challengeresponseauthentication: true
+    ssh_compression: true
+    ssh_allow_users: 'root kitchen vagrant'
+    ssh_allow_groups: 'root kitchen vagrant'
+    ssh_deny_users: 'foo bar'
+    ssh_deny_groups: 'foo bar'
+    ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
+    ssh_max_auth_retries: 10
+    ssh_permit_tunnel: true
+    ssh_print_motd: true
+    ssh_print_last_log: true
+    ssh_banner: true
+    ssh_server_password_login: true
+    ssh_server_weak_hmac: true
+    sftp_enabled: true
+    ssh_server_match_group:
+      - group: 'root'
+        rules: 'AllowTcpForwarding yes'
+    ssh_server_match_user:
+      - user: 'root'
+        rules: 'AllowTcpForwarding yes'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']
       - names: ['example3.com']
         options: ['StrictHostKeyChecking no']
+    ssh_use_dns: true
+    ssh_use_pam: true
 
 - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: localhost

defaults/main.yml

@@ -1,6 +1,15 @@
 # true if IPv6 is needed
 network_ipv6_enable: false              # sshd + ssh
 
+# true if sshd should be started and enabled
+ssh_server_enabled: true               # sshd
+
+# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
+ssh_use_dns: false                      # sshd
+
+# true or value if compression is needed
+ssh_compression: false                  # sshd
+
 # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
@@ -31,7 +40,7 @@ ssh_client_port: '22'         # ssh
 ssh_listen_to: ['0.0.0.0']    # sshd
 
 # Host keys to look for when starting sshd.
-ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']  # sshd
+ssh_host_key_files: []  # sshd
 
 # Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 2
@@ -57,6 +66,10 @@ ssh_allow_root_with_key: false          # sshd
 # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
 ssh_allow_tcp_forwarding: false         # sshd
 
+# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
+# Set to 'clientspecified' to allow the client to specify which address to bind to.
+ssh_gateway_ports: false                # sshd
+
 # false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
 ssh_allow_agent_forwarding: false       # sshd
 
@@ -78,6 +91,9 @@ ssh_deny_groups: ''      # sshd
 # if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
 ssh_allow_groups: ''      # sshd
 
+# change default file that contains the public keys that can be used for user authentication.
+ssh_authorized_keys_file: ''      # sshd
+
 # false to disable printing of the MOTD
 ssh_print_motd: false      # sshd
 
@@ -99,6 +115,14 @@ sftp_chroot_dir: /home/%u
 # enable experimental client roaming
 ssh_client_roaming: false
 
+# list of hashes (containing user and rules) to generate Match User blocks for.
+ssh_server_match_user: false            # sshd
+
+# list of hashes (containing group and rules) to generate Match Group blocks for.
+ssh_server_match_group: false           # sshd
+
+ssh_server_permit_environment_vars: false
+
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'
@@ -161,8 +185,5 @@ sshd_moduli_minimum: 2048
 # disable ChallengeResponseAuthentication
 ssh_challengeresponseauthentication: false
 
-#  look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
-ssh_use_dns: false
-
 # a list of public keys that are never accepted by the ssh server
 ssh_server_revoked_keys: []

handlers/main.yml

@@ -1,2 +1,3 @@
 - name: restart sshd
   service: name={{ sshd_service_name }} state=restarted
+  when: "(ssh_server_enabled|bool)"

tasks/main.yml

@@ -9,24 +9,26 @@
 
 - name: get openssh-version
   shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
+  args:
+    executable: /bin/sh
   changed_when: false
   register: sshd_version
   check_mode: no
 
 - name: set hostkeys according to openssh-version
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
-  when: sshd_version.stdout >= '5.3'
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
+  when: sshd_version.stdout >= '6.3' and not ssh_host_key_files
 
 - name: set hostkeys according to openssh-version
   set_fact:
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
-  when: sshd_version.stdout >= '6.0'
+  when: sshd_version.stdout >= '6.0' and not ssh_host_key_files
 
 - name: set hostkeys according to openssh-version
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
-  when: sshd_version.stdout >= '6.3'
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
+  when: sshd_version.stdout >= '5.3' and not ssh_host_key_files
 
 - name: create revoked_keys and set permissions to root/600
   template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
@@ -54,13 +56,14 @@
   notify: restart sshd
   when: sshd_register_moduli.stdout
 
-- name: test to see if selinux is running
+- name: test to see if selinux is installed and running
   command: getenforce
   register: sestatus
   failed_when: false
   changed_when: false
   check_mode: no
 
+<<<<<<< HEAD
 # Install the 2FA packages and setup the config in PAM and SSH
 
 - block:
@@ -101,7 +104,7 @@
     - ssh_google_auth
 
 
-- block: # only runs when selinux is running
+- block: # only runs when selinux is installed
   - name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
     package: name="{{item}}" state=installed
     with_items:
@@ -143,7 +146,7 @@
 
     when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
 
-  # The following tasks only get executed when selinux is in state enforcing, UsePam is "yes" and the ssh_password module is installed.
+  # The following tasks only get executed when selinux is installed, UsePam is "yes" and the ssh_password module is installed.
   - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
     command: semodule -r ssh_password
     when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0