Ansible role to harden the sshd configuration

This ansible role changes an existing sshd config to use only secure crypto.

Example playbook

Add this role to the requirements.yml and install it:

- src: https://github.com/UOS-RZ/secure_sshd.git
  scm: git
  version: 1.1.0

Then include the role in your playbook:

- hosts: all
  become: true
  roles:
    - role: secure_sshd

For a full example playbook with step-by-step instructions, take a look at

• Example Ansible playbook including secure_sshd

Configuration options

Take a look at the defaults to see what variables you can set.

Check crypto algorithms

You can check manually, which crypto algorithms your ssh version can use.

Key exchange

ssh -Q kex

Ciphers

ssh -Q cipher

MAC

ssh -Q mac

Tools to check settings

You can check the ssh settings with some tools.

nmap

nmap -p22 -n -sV --script ssh2-enum-algos <IP-ADDRESS>

SSH-Audit

• SSH-Audit (python)

License

BSD-3-Clause

Author information

• UOS-RZ

Sources

• BSI TR-02102-4 "Kryptographische Verfahren: Teil 4 – Verwendung von Secure Shell (SSH)"