From b14582103ef5c3919d7034fc921b663effeb6e33 Mon Sep 17 00:00:00 2001 From: Denis Knauf Date: Sun, 14 Jan 2024 13:13:57 +0100 Subject: [PATCH] sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf --- defaults/main.yml | 13 +++-- tasks/sshd_config.yml | 96 +++++++++++++++++++--------------- templates/sshd-default.conf.j2 | 11 ++++ 3 files changed, 73 insertions(+), 47 deletions(-) create mode 100644 templates/sshd-default.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 0dacb15..8e806fc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,9 @@ -has_hwrng: '{{ansible_virtualization_role != "guest" and ansible_local.devices.hwrng }}' -is_virt_guest: '{{ansible_virtualization_role == "guest"}}' -is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}' -sys_default_users: [] +has_hwrng: '{{ansible_virtualization_role != "guest" and ansible_local.devices.hwrng }}' +is_virt_guest: '{{ansible_virtualization_role == "guest"}}' +is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}' +sys_default_users: [] +ssh_permit_root_login: 'prohibit-password' +ssh_ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' +ssh_macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' +ssh_kex_algorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256' +ssh_host_keys: [/etc/ssh/ssh_host_ed25519_key, /etc/ssh/ssh_host_rsa_key] diff --git a/tasks/sshd_config.yml b/tasks/sshd_config.yml index 6d387ca..904100a 100644 --- a/tasks/sshd_config.yml +++ b/tasks/sshd_config.yml @@ -1,46 +1,56 @@ --- # vim: set expandtab tabstop=2 shiftwidth=2: -- name: sshd_config - lineinfile: - path: /etc/ssh/sshd_config - insertafter: '^\s*#\s*{{item.key}}\s+' - regexp: '^\s*{{item.key}}\s' - line: '{{item.key}} {{item.value}}' - with_dict: - Port: '{{ssh_port|default(22)}}' - PermitRootLogin: 'prohibit-password' - StrictModes: 'yes' - PubkeyAuthentication: 'yes' - KerberosAuthentication: 'no' - GSSAPIAuthentication: 'yes' - TCPKeepAlive: 'yes' - Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' - MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' - KexAlgorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256' -- name: sshd_config - lineinfile: - path: /etc/ssh/sshd_config - insertbefore: '\s*#?\s*HostKey\s+' - regexp: '^# HostKeys for protocol' - line: '# HostKeys for protocol' -- name: sshd_config - prefer ed25519 - lineinfile: - path: /etc/ssh/sshd_config - insertafter: '^# HostKeys for protocol' - regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$' - line: 'HostKey /etc/ssh/ssh_host_ed25519_key' -- name: sshd_config - fallback rsa - lineinfile: - path: /etc/ssh/sshd_config - insertafter: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$' - regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$' - line: 'HostKey /etc/ssh/ssh_host_rsa_key' -- name: 'sshd_config - absent dsa / ecdsa' - lineinfile: - path: /etc/ssh/sshd_config - state: absent - regexp: '{{item}}' - with_list: - - '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$' - - '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$' +- when: '"debian" == ansible_facts["os_family"]|lower && 12 <= ansible_facts["os_version_id"]' + name: 'sshd_config.d/99-default.conf' + template: + src: 'sshd-default.conf' + dest: '/etc/ssh/sshd_config.d/99-default.conf' + owner: root + group: root + mode: 0644 +- when: '"debian" != ansible_facts["os_family"]|lower || 11 >= ansible_facts["os_version_id"]' + block: + - name: sshd_config + lineinfile: + path: /etc/ssh/sshd_config + insertafter: '^\s*#\s*{{item.key}}\s+' + regexp: '^\s*{{item.key}}\s' + line: '{{item.key}} {{item.value}}' + with_dict: + Port: '{{ssh_port|default(22)}}' + PermitRootLogin: 'prohibit-password' + StrictModes: 'yes' + PubkeyAuthentication: 'yes' + KerberosAuthentication: 'no' + GSSAPIAuthentication: 'yes' + TCPKeepAlive: 'yes' + Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' + MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' + KexAlgorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256' + - name: sshd_config + lineinfile: + path: /etc/ssh/sshd_config + insertbefore: '\s*#?\s*HostKey\s+' + regexp: '^# HostKeys for protocol' + line: '# HostKeys for protocol' + - name: sshd_config - prefer ed25519 + lineinfile: + path: /etc/ssh/sshd_config + insertafter: '^# HostKeys for protocol' + regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$' + line: 'HostKey /etc/ssh/ssh_host_ed25519_key' + - name: sshd_config - fallback rsa + lineinfile: + path: /etc/ssh/sshd_config + insertafter: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$' + regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$' + line: 'HostKey /etc/ssh/ssh_host_rsa_key' + - name: 'sshd_config - absent dsa / ecdsa' + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regexp: '{{item}}' + with_list: + - '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$' + - '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$' diff --git a/templates/sshd-default.conf.j2 b/templates/sshd-default.conf.j2 new file mode 100644 index 0000000..68f2241 --- /dev/null +++ b/templates/sshd-default.conf.j2 @@ -0,0 +1,11 @@ +{{if ssh_port is defined }}Port {{ssh_port}}{{endif}} +PermitRootLogin {{ssh_permit_root_login}} +StrictModes yes +PubkeyAuthentication yes +{{if ssh_kerberos_authentication is defined}}KerberosAuthentication {{ssh_kerberos_authentication}}{{endif}} +{{if ssh_gssapi_authentication is defined}}GSSAPIAuthentication {{ssh_gssapi_authentication}}{{endif}} +TCPKeepAlive yes +Ciphers {{ssh_ciphers}} +MACs {{ssh_macs}} +KexAlgorithms {{ssh_kex_algorithms}} +HostKey {%for k in ssh_host_keys%}{{k}}{%endfor%}