bigip_device_sshd enhancement to manage cipher, mac and kex

[mitch-geht-ab]

Is your feature request related to a problem? Please describe.

Company compliance is getting stricter. For example CBC ciphers has to be disabled as well as kex etc.

Describe the solution you'd like

Would expect that I can manage sshd cipher, kex and mac with the bigip_device_sshd module. As described for tmsh in

• K25523031: Disable CBC ciphers mode in SSHD
• K80425458: Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP or BIG-IQ systems

in ansible (comparable with the bigip_device_httpd)

- name: Set the cipher for the SSHD service by list
  bigip_device_sshd:
    ciphers:
      - aes128-ctr
      - aes192-ctr
      - ...
    provider:
...

- name: Set the mac for the SSHD service by list
  bigip_device_sshd:
    mac:
      - hmac-sha1
      - hmac-ripemd160
      - ...
    provider:
...

- name: Set the kex for the SSHD service by list
  bigip_device_sshd:
    kex:
      - ecdh-sha2-nistp256
      - ecdh-sha2-nistp384
      - ...
    provider:
...

Describe alternatives you've considered

The alternative I've to use is bigip_command where you wrote

It is intended as a stop-gap measure to satisfy automation requirements until such a time as a real module has been developed to configure in the way you need. If you are using this module, we recommend also filing an issue to have a real module created for your needs.

[trinaths]

@mitch-geht-ab We can handle with AS3, see https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#tls-client

Hope this helps. Closing this issue.

[mitch-geht-ab]

@trinaths Thought AS3 is for VirtualServer? And you reference to TLS. I mean "sshd" in context of the management sshd process of the BigIP and not TLS nor VS. Comparable to f5networks.f5_modules.bigip_device_httpd

[trinaths]

@mitch-geht-ab - Got it. reopening this issue for further review.

[mitch-geht-ab]

Hi F5 team, is there a date where we can expect an ansible f5 module for the sshd daemon?

[KrithikaChidambaram]

Hi, have you tried to using Declarative Onboarding with Terraform?

Here is the documentation related to TF and DO: https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/declarations/auth.html#configuring-sshd-settings-in-a-declaration https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_do_deploy_module.html#bigip-do-deploy-module-2

Thanks!

[mitch-geht-ab]

Hi @KrithikaChidambaram, As it is an iSeries (hardware), TF is not an option.

I'm right, that you recomend to upgrade from ansible f5_modules Collection to ansible f5_bigip Collection and use a mix of ansible (f5_bigip.bigip_do_deploy) and DO? Why is there no SSHD module in f5_bigip Collection? Or is it planed to use the f5_bigip Collection only as a kind of broker for DO declarations? So I can use f5_big ip for hardware and Terraform for VE/Cloud?

BR