2021-04-10 22:11:19 +02:00
---
# vim: set expandtab tabstop=2 shiftwidth=2:
2024-01-14 22:32:35 +01:00
- name : 'check sshd include option'
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 22:32:35 +01:00
command : 'sshd -o "include /dev/null"'
register : sshd_include_option_check
failed_when : 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]'
2024-03-25 23:18:47 +01:00
- name : Use only supported Ciphers, Kex Algorithms and Macs of the configured ones
2024-03-28 12:10:26 +01:00
tags : sshd
2024-03-25 23:18:47 +01:00
set_fact :
sshd_ciphers_ : '{{cd|join(",")}}'
sshd_kex_algorithms_ : '{{kd|join(",")}}'
sshd_macs_ : '{{md|join(",")}}'
2024-01-14 22:50:16 +01:00
sshd_include_option : '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}'
2024-03-25 23:18:47 +01:00
vars :
ca : '{{ sshd_ciphers }}'
cb : '{{ ca | type_debug }}'
cc : '{% if "list" == cb %}{{ ca }}{% elif "str" == cb %}{{ ca.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
cd : "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') | intersect( cc) }}"
ka : '{{ sshd_kex_algorithms }}'
kb : '{{ ka | type_debug }}'
kc : '{% if "list" == kb %}{{ ka }}{% elif "str" == kb %}{{ ka.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
kd : "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') | intersect( kc) }}"
ma : '{{ sshd_macs }}'
mb : '{{ ma | type_debug }}'
mc : '{% if "list" == mb %}{{ ma }}{% elif "str" == mb %}{{ ma.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
md : "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') | intersect( mc) }}"
failed_when :
- '[] == sshd_ciphers_'
- '[] == sshd_kex_algorithms_'
- '[] == sshd_macs_'
2024-01-14 22:32:35 +01:00
- when : 'true == sshd_include_option'
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 22:32:35 +01:00
block :
- name : '/etc/ssh/sshd_config.d'
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 22:32:35 +01:00
file :
2024-01-14 22:53:43 +01:00
state : directory
path : '/etc/ssh/sshd_config.d'
2024-01-14 22:32:35 +01:00
owner : root
group : root
2024-09-20 00:06:21 +02:00
mode : 0755
2024-01-14 22:32:35 +01:00
- name : 'sshd_config.d/99-default.conf'
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 22:32:35 +01:00
template :
src : 'sshd-default.conf.j2'
dest : '/etc/ssh/sshd_config.d/99-default.conf'
owner : root
group : root
mode : 0644
- lineinfile :
path : /etc/ssh/sshd_config
insertbefore : BOF
2024-09-22 15:45:21 +02:00
regexp : '^\s*[iI]nclude\s+/etc/ssh/sshd_config.d/'
line : 'Include /etc/ssh/sshd_config.d/*.conf'
2024-01-14 22:32:35 +01:00
firstmatch : true
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 22:32:35 +01:00
- when : 'false == sshd_include_option'
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 13:13:57 +01:00
block :
- name : sshd_config
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 13:13:57 +01:00
lineinfile :
2024-01-14 21:05:02 +01:00
path : /etc/ssh/sshd_config
2024-01-14 13:13:57 +01:00
insertafter : '^\s*#\s*{{item.key}}\s+'
2024-01-14 21:05:02 +01:00
regexp : '^\s*{{item.key}}\s'
line : '{{item.key}} {{item.value}}'
2024-01-14 13:13:57 +01:00
with_dict :
2024-01-14 21:49:26 +01:00
Port : '{{sshd_port|default(22)}}'
PermitRootLogin : '{{sshd_permit_root_login}}'
2024-01-14 13:13:57 +01:00
StrictModes : 'yes'
PubkeyAuthentication : 'yes'
2024-01-14 23:23:27 +01:00
KerberosAuthentication : '{{sshd_kerberos_authentication}}'
GSSAPIAuthentication : '{{sshd_gssapi_authentication}}'
2024-01-14 13:13:57 +01:00
TCPKeepAlive : 'yes'
2024-03-25 23:18:47 +01:00
Ciphers : '{{sshd_ciphers_}}'
MACs : '{{sshd_macs_}}'
KexAlgorithms : '{{sshd_kex_algorithms_}}'
2024-01-14 13:13:57 +01:00
- name : sshd_config
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 13:13:57 +01:00
lineinfile :
2024-01-14 21:05:02 +01:00
path : /etc/ssh/sshd_config
2024-01-14 13:13:57 +01:00
insertbefore : '\s*#?\s*HostKey\s+'
2024-01-14 21:05:02 +01:00
regexp : '^# HostKeys for protocol'
line : '# HostKeys for protocol'
2024-01-14 13:13:57 +01:00
- name : sshd_config - prefer ed25519
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 13:13:57 +01:00
lineinfile :
2024-01-14 21:05:02 +01:00
path : /etc/ssh/sshd_config
2024-01-14 13:13:57 +01:00
insertafter : '^# HostKeys for protocol'
2024-01-14 21:05:02 +01:00
regexp : '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
line : 'HostKey /etc/ssh/ssh_host_ed25519_key'
2024-01-14 13:13:57 +01:00
- name : sshd_config - fallback rsa
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 13:13:57 +01:00
lineinfile :
2024-01-14 21:05:02 +01:00
path : /etc/ssh/sshd_config
2024-01-14 13:13:57 +01:00
insertafter : '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
2024-01-14 21:05:02 +01:00
regexp : '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$'
line : 'HostKey /etc/ssh/ssh_host_rsa_key'
2024-01-14 13:13:57 +01:00
- name : 'sshd_config - absent dsa / ecdsa'
2024-03-28 12:10:26 +01:00
tags : sshd
2024-01-14 13:13:57 +01:00
lineinfile :
2024-01-14 21:05:02 +01:00
path : /etc/ssh/sshd_config
state : absent
2024-01-14 13:13:57 +01:00
regexp : '{{item}}'
with_list :
- '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$'
- '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$'