Merge branch 'master' into feature/2fa_auth

Author: lazzurs

.kitchen.yml

@@ -9,10 +9,6 @@ driver:
 transport:
   max_ssh_sessions: 5
 
-transport:
-  max_ssh_sessions: 5
-
-
 provisioner:
   name: ansible_playbook
   hosts: all
@@ -26,6 +22,7 @@ provisioner:
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
+  ansible_diff: true
   ansible_extra_flags:
     - "--skip-tags=sysctl"
 

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.3.0)
+
+**Implemented enhancements:**
+
+- Fix ansible.cfg settings [\#122](https://github.com/dev-sec/ansible-ssh-hardening/pull/122) ([fazlearefin](https://github.com/fazlearefin))
+- Finish 94 [\#116](https://github.com/dev-sec/ansible-ssh-hardening/pull/116) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Merged pull requests:**
+
+- Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
+- Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin))
+
 ## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30)
 [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.2.0)
 
@@ -187,29 +200,29 @@
 - sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123))
 
 ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2.1)
 
 **Merged pull requests:**
 
 - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle))
 
-## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2)
-
 ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28)
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.2.0)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.0)
+
+## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2)
 
 **Merged pull requests:**
 
 - bugfix. Now option true for PrintLastLog is available again [\#39](https://github.com/dev-sec/ansible-ssh-hardening/pull/39) ([fitz123](https://github.com/fitz123))
 - Add more travis-tests [\#38](https://github.com/dev-sec/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro))
 - Support for selinux and pam. fix \#23 [\#35](https://github.com/dev-sec/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
 
-## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.1)
-
 ## [1.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1.0) (2015-09-01)
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1.0)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.1.0)
+
+## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1)
 
 **Closed issues:**
 

README.md

@@ -27,7 +27,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
 |`ssh_client_port` | '22' |port to which ssh-client should connect|
 |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
-|`ssh_host_key_files` | ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] |Host keys to look for when starting sshd.|
+|`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
 |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
 |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
@@ -50,6 +50,18 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
 |`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
+|`ssh_banner` | `false` | `true` to print a banner on login |
+|`ssh_client_hardening` | `true` | `false` to stop harden the client |
+|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
+|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. |
+|`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
+|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
+|`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
+|`ssh_server_hardening` | `true` | `false` to stop harden the server |
+|`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
+|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 
 ## Example Playbook

ansible.cfg

@@ -8,7 +8,8 @@
 # finds first
 
 [defaults]
-ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host}
+ansible_managed = Ansible managed: {file} modified by {uid} on {host}
+roles_path = /vagrant
 
-role_path = /vagrant
+[ssh_connection]
 scp_if_ssh = True

default.yml

@@ -18,15 +18,42 @@
   vars:
     network_ipv6_enable: true
     ssh_allow_root_with_key: true
+    ssh_allow_tcp_forwarding: true
+    ssh_allow_agent_forwarding: true
+    ssh_server_permit_environment_vars: 'PWD'
+    ssh_client_alive_interval: 100
+    ssh_client_alive_count: 10
     ssh_client_password_login: true
     ssh_client_cbc_required: true
-    ssh_server_weak_hmac: true
     ssh_client_weak_kex: true
+    ssh_challengeresponseauthentication: true
+    ssh_compression: true
+    ssh_allow_users: 'root kitchen vagrant'
+    ssh_allow_groups: 'root kitchen vagrant'
+    ssh_deny_users: 'foo bar'
+    ssh_deny_groups: 'foo bar'
+    ssh_max_auth_retries: 10
+    ssh_permit_tunnel: true
+    ssh_print_motd: true
+    ssh_print_last_log: true
+    ssh_banner: true
+    ssh_server_password_login: true
+    ssh_server_enabled: false
+    ssh_server_weak_hmac: true
+    sftp_enabled: true
+    ssh_server_match_group:
+      - group: 'root'
+        rules: 'AllowTcpForwarding yes'
+    ssh_server_match_user:
+      - user: 'root'
+        rules: 'AllowTcpForwarding yes'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']
       - names: ['example3.com']
         options: ['StrictHostKeyChecking no']
+    ssh_use_dns: true
+    ssh_use_pam: true
 
 - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: localhost

defaults/main.yml

@@ -1,6 +1,15 @@
 # true if IPv6 is needed
 network_ipv6_enable: false              # sshd + ssh
 
+# true if sshd should be started and enabled
+ssh_server_enabled: true               # sshd
+
+# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
+ssh_use_dns: false                      # sshd
+
+# true or value if compression is needed
+ssh_compression: false                  # sshd
+
 # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
@@ -31,7 +40,7 @@ ssh_client_port: '22'         # ssh
 ssh_listen_to: ['0.0.0.0']    # sshd
 
 # Host keys to look for when starting sshd.
-ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']  # sshd
+ssh_host_key_files: []  # sshd
 
 # Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 2
@@ -99,6 +108,14 @@ sftp_chroot_dir: /home/%u
 # enable experimental client roaming
 ssh_client_roaming: false
 
+# list of hashes (containing user and rules) to generate Match User blocks for.
+ssh_server_match_user: false            # sshd
+
+# list of hashes (containing group and rules) to generate Match Group blocks for.
+ssh_server_match_group: false           # sshd
+
+ssh_server_permit_environment_vars: false
+
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'

handlers/main.yml

@@ -1,2 +1,3 @@
 - name: restart sshd
   service: name={{ sshd_service_name }} state=restarted
+  when: "(ssh_server_enabled|bool)"

tasks/main.yml

@@ -15,18 +15,18 @@
 
 - name: set hostkeys according to openssh-version
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
-  when: sshd_version.stdout >= '5.3'
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
+  when: sshd_version.stdout >= '6.3' and not ssh_host_key_files
 
 - name: set hostkeys according to openssh-version
   set_fact:
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
-  when: sshd_version.stdout >= '6.0'
+  when: sshd_version.stdout >= '6.0' and not ssh_host_key_files
 
 - name: set hostkeys according to openssh-version
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
-  when: sshd_version.stdout >= '6.3'
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
+  when: sshd_version.stdout >= '5.3' and not ssh_host_key_files
 
 - name: create revoked_keys and set permissions to root/600
   template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"

templates/opensshd.conf.j2

@@ -7,15 +7,15 @@
 # ===================
 
 # Either disable or only allowssh root login via certificates.
-PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
+PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }}
 
 # Define which port sshd should listen to. Default to `22`.
 {% for port in ssh_server_ports -%}
 Port {{port}}
 {% endfor %}
 
 # Address family should always be limited to the active network configuration.
-AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
+AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }}
 
 # Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
 {% for address in ssh_listen_to -%}
@@ -113,7 +113,6 @@ LogLevel VERBOSE
 UseLogin no
 UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
 
-PermitUserEnvironment no
 LoginGraceTime 30s
 MaxAuthTries {{ssh_max_auth_retries}}
 MaxSessions 10
@@ -128,16 +127,16 @@ IgnoreUserKnownHosts yes
 HostbasedAuthentication no
 
 # Enable PAM to enforce system wide rules
-UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
+UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
 {% if ssh_google_auth %}
 # Force public key auth then ask for google auth code
 AuthenticationMethods publickey,keyboard-interactive
 {% endif %}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
+PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
 PermitEmptyPasswords no
-ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}
+ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }}
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no
@@ -177,15 +176,15 @@ ClientAliveInterval {{ssh_client_alive_interval}}
 ClientAliveCountMax {{ssh_client_alive_count}}
 
 # Disable tunneling
-PermitTunnel {{ 'yes' if ssh_permit_tunnel else 'no' }}
+PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access
-AllowTcpForwarding {{ 'yes' if ssh_allow_tcp_forwarding else 'no' }}
+AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }}
 
 # Disable agent formwarding, since local agent could be accessed through forwarded connection.
 # no real advantage without denied shell access
-AllowAgentForwarding {{ 'yes' if ssh_allow_agent_forwarding else 'no' }}
+AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
 
 # Do not allow remote port forwardings to bind to non-loopback addresses.
 GatewayPorts no
@@ -194,34 +193,50 @@ GatewayPorts no
 X11Forwarding no
 X11UseLocalhost yes
 
-# Look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
-UseDNS {{ 'yes' if ssh_use_dns else 'no' }}
+# User environment configuration
+# ==============================
+
+{% if ssh_server_permit_environment_vars %}
+PermitUserEnvironment yes
+{% for item in ssh_server_permit_environment_vars %}
+AcceptEnv {{ item }}
+{% endfor %}
+{% else %}
+PermitUserEnvironment no
+{% endif %}
 
 # Misc. configuration
 # ===================
 
-PrintMotd {{ 'yes' if ssh_print_motd else 'no' }}
+Compression {{ 'yes' if (ssh_compression|bool) else 'no' }}
+
+UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }}
+
+PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
 
 {% if ansible_os_family != 'FreeBSD' %}
-PrintLastLog {{ 'yes' if ssh_print_last_log else 'no' }}
+PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
 {% endif %}
 
-Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
+Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}
 
 {% if ansible_os_family == 'Debian' %}
-DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
+DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
 {% endif %}
 
 # Reject keys that are explicitly blacklisted
 RevokedKeys /etc/ssh/revoked_keys
 
 {% if sftp_enabled %}
+# SFTP matching configuration
+# ===========================
 # Configuration, in case SFTP is used
-## override default of no subsystems
-## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+# override default of no subsystems
+# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+
 Subsystem sftp internal-sftp -l INFO -f LOCAL6
-#
-## These lines must appear at the *end* of sshd_config
+
+# These lines must appear at the *end* of sshd_config
 Match Group sftponly
 ForceCommand internal-sftp -l INFO -f LOCAL6
 ChrootDirectory {{ sftp_chroot_dir }}
@@ -231,3 +246,24 @@ PasswordAuthentication no
 PermitRootLogin no
 X11Forwarding no
 {% endif %}
+
+{% if ssh_server_match_group %}
+# Group matching configuration
+# ============================
+
+{% for item in ssh_server_match_group %}
+Match Group {{ item.group }}
+    {{ item.rules | indent(4) }}
+{% endfor %}
+{% endif %}
+
+
+{% if ssh_server_match_user %}
+# User matching configuration
+# ===========================
+
+{% for item in ssh_server_match_user %}
+Match User {{ item.user }}
+    {{ item.rules | indent(4) }}
+{% endfor %}
+{% endif %}