Attention: This role has been migrated to our hardening-collection:
Please open any issues and pull requests there!
network_ipv6_enable
ssh_listen_to must also be set to listen to IPv6 addresses (for example [::]).ssh_server_ports
ssh_client_port
ssh_listen_to
ssh_host_key_files
ssh_host_key_algorithms
ssh_client_alive_interval
ssh_client_alive_count
ssh_permit_tunnel
ssh_remote_hosts
defaults/main.yml.ssh_permit_root_login
without-password or yes to enable root-loginssh_allow_tcp_forwarding
'no' to disable TCP Forwarding. Set to 'yes' to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify 'yes', 'no', 'all' or 'local'. 'yes' and 'no' should be passed with quotes.ssh_gateway_ports
falsefalse to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. Set to clientspecified to allow the client to specify which address to bind to.ssh_allow_agent_forwarding
ssh_x11_forwarding
ssh_pam_support
ssh_use_pam
ssh_gssapi_support
ssh_kerberos_support
ssh_deny_users
ssh_allow_users
ssh_deny_groups
ssh_allow_groups
ssh_authorized_keys_file
ssh_trusted_user_ca_keys_file
ssh_trusted_user_ca_keys
ssh_trusted_user_ca_keys_file is set.ssh_authorized_principals_file
ssh_trusted_user_ca_keys_file is set.ssh_authorized_principals
default_custom.yml for all options. Only used if ssh_authorized_principals_file is set.ssh_print_motd
ssh_print_pam_motd
ssh_print_last_log
sftp_enabled
sftp_umask
sftp_chroot
sftp_chroot_dir
ssh_client_roaming
sshd_moduli_file
sshd_moduli_minimum
ssh_challengeresponseauthentication
ssh_client_password_login
true to allow password-based authentication with the ssh clientssh_server_password_login
true to allow password-based authentication with the ssh serverssh_banner
falsetrue to print a banner on loginssh_banner_path
ssh_client_hardening
truefalse to stop harden the clientssh_client_port
'22'ssh_client_compression
falsessh_compression
falsessh_login_grace_time
30sssh_max_auth_retries
2ssh_max_sessions
10ssh_print_debian_banner
falsetrue to print debian specific bannerssh_server_enabled
truefalse to disable the opensshd serverssh_server_hardening
truefalse to stop harden the serverssh_server_match_address
ssh_server_match_group
ssh_server_match_user
ssh_server_match_local_port
ssh_server_permit_environment_vars
noyes to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settingsssh_server_accept_env_vars
ssh_use_dns
falsessh_server_revoked_keys
ssh_max_startups
ssh_macs
defaults/main.ymlssh_kex
defaults/main.ymlssh_ciphers
defaults/main.ymlssh_custom_options
sshd_custom_options
sshd_syslog_facility
sshd_log_level
sshd_strict_modes
sshd_authenticationmethods
publickeydefaults/main.ymlIf you want to configure ssh options that are not listed above, you can use ssh_custom_options (for /etc/ssh/ssh_config) or sshd_custom_options (for /etc/ssh/sshd_config) to set them. These options will be set on the beginning of the file so you can override options further down in the file.
Example playbook:
- hosts: localhost
roles:
- dev-sec.ssh-hardening
vars:
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default ssh port is changed via ssh_server_ports, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port.
If idempotency is important, please consider using role ssh-hardening-fallback, which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
- hosts: localhost
roles:
- dev-sec.ssh-hardeningThe preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See Get started for a Docker package suitable to for your system.
You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.
Next install test-kitchen:
# Install dependencies
gem install bundler
bundle install# fast test on one machine
bundle exec kitchen test ssh-ubuntu1804-ansible-latest
# test on all machines
bundle exec kitchen test
# for development
bundle exec kitchen create ssh-ubuntu1804-ansible-latest
bundle exec kitchen converge ssh-ubuntu1804-ansible-latest
bundle exec kitchen verify ssh-ubuntu1804-ansible-latest
# cleanup
bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest# fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804
# test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
# for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804For more information see test-kitchen
I can't log into my account. I have registered the client key, but it still doesn't let me it.
If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:
sudo grep myuser /etc/shadowIf the hash includes an !, your account is locked:
myuser:!:16280:7:60:7:::The proper way to solve this is to unlock the account (passwd -u myuser). If the user doesn't have a password, you should can unlock it via:
usermod -p "*" myuserAlternatively, if you intend to use PAM, you enabled it via ssh_use_pam: true. PAM will allow locked users to get in with keys.
Why doesn't my application connect via SSH anymore?
Always look into log files first and if possible look at the negotiation between client and server that is completed when connecting.
We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
After using the role Ansibles template/copy/file module does not work anymore!
This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set scp_if_ssh = True in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting sftp_enabled to true.
Cannot restart sshd-service due to lack of privileges
If you get the following error when running handler "restart sshd"
Unable to restart service ssh: Failed to restart ssh.service: Access deniedor
failure 1 running systemctl show for 'ssh': Failed to connect to bus: No such file or directoryeither run the playbook as root (without become: yes at the playbook level), or add become: yes to the handler.
This is a bug with Ansible: see here and here for more information.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.