From 0c7b5a2c68f35ca9b9dd3cefaceb5de5c2ca9d6d Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 4 Jul 2023 04:04:48 +0200 Subject: [PATCH] openssh: cleanup playblook + role --- playbooks/{ssh.yml => openssh.yml} | 4 ++-- roles/openssh_server/defaults/main.yml | 23 ++++++++++++++++++- roles/openssh_server/tasks/main.yml | 4 ++-- roles/openssh_server/templates/sshd_config.j2 | 7 +++--- 4 files changed, 29 insertions(+), 9 deletions(-) rename playbooks/{ssh.yml => openssh.yml} (85%) diff --git a/playbooks/ssh.yml b/playbooks/openssh.yml similarity index 85% rename from playbooks/ssh.yml rename to playbooks/openssh.yml index 51fbac1..305c8aa 100755 --- a/playbooks/ssh.yml +++ b/playbooks/openssh.yml @@ -4,11 +4,11 @@ - pve_network - vm_network vars: - openssh_users_ca_public_key: + openssh__users_ca_public_key: "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\ hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\ F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==" - openssh_authorized_principals: + openssh__authorized_principals: - any - "{{ inventory_hostname }}" roles: diff --git a/roles/openssh_server/defaults/main.yml b/roles/openssh_server/defaults/main.yml index 606659a..cbed486 100644 --- a/roles/openssh_server/defaults/main.yml +++ b/roles/openssh_server/defaults/main.yml @@ -1,4 +1,25 @@ --- -openssh_authorized_principals: +openssh__authorized_principals: - any +# https://infosec.mozilla.org/guidelines/openssh.html +openssh__kex_algorithms: + - curve25519-sha256@libssh.org + - ecdh-sha2-nistp521 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp256 + - diffie-hellman-group-exchange-sha256 +openssh__ciphers: + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr +openssh__macs: + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512 + - hmac-sha2-256 + - umac-128@openssh.com ... diff --git a/roles/openssh_server/tasks/main.yml b/roles/openssh_server/tasks/main.yml index 681ea61..eec86e0 100644 --- a/roles/openssh_server/tasks/main.yml +++ b/roles/openssh_server/tasks/main.yml @@ -21,7 +21,7 @@ - name: Install Users CA public key copy: - content: "{{ openssh_users_ca_public_key }}" + content: "{{ openssh__users_ca_public_key }}" dest: /etc/ssh/users_ca.pub owner: root group: root @@ -30,7 +30,7 @@ - name: Install authorized principals file copy: - content: "{{ openssh_authorized_principals | join('\n') }}" + content: "{{ openssh__authorized_principals | join('\n') }}" dest: /etc/ssh/authorized_principals owner: root group: root diff --git a/roles/openssh_server/templates/sshd_config.j2 b/roles/openssh_server/templates/sshd_config.j2 index fd3d50f..4c4f926 100644 --- a/roles/openssh_server/templates/sshd_config.j2 +++ b/roles/openssh_server/templates/sshd_config.j2 @@ -15,10 +15,9 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key -# https://infosec.mozilla.org/guidelines/openssh.html -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +KexAlgorithms {{ openssh__kex_algorithms | join(",") }} +Ciphers {{ openssh__ciphers | join(",") }} +MACs {{ openssh__macs | join(",") }} AuthenticationMethods publickey