86 lines
2.6 KiB
YAML
86 lines
2.6 KiB
YAML
---
|
|
- name: Set OS dependent variables
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
|
|
- '{{ ansible_facts.distribution }}.yml'
|
|
- '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
|
|
- '{{ ansible_facts.os_family }}.yml'
|
|
|
|
- name: get openssh-version
|
|
command: ssh -V
|
|
register: sshd_version_raw
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: parse openssh-version
|
|
set_fact:
|
|
sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
|
|
|
|
- name: include tasks to create crypo-vars
|
|
include_tasks: crypto.yml
|
|
|
|
- name: create revoked_keys and set permissions to root/600
|
|
template:
|
|
src: 'revoked_keys.j2'
|
|
dest: '/etc/ssh/revoked_keys'
|
|
mode: '0600'
|
|
owner: '{{ ssh_owner }}'
|
|
group: '{{ ssh_group }}'
|
|
notify: restart sshd
|
|
when: ssh_server_hardening | bool
|
|
|
|
- name: create sshd_config and set permissions to root/600
|
|
template:
|
|
src: 'opensshd.conf.j2'
|
|
dest: '/etc/ssh/sshd_config'
|
|
mode: '0600'
|
|
owner: '{{ ssh_owner }}'
|
|
group: '{{ ssh_group }}'
|
|
validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
|
|
notify: restart sshd
|
|
when: ssh_server_hardening | bool
|
|
|
|
- name: disable dynamic MOTD
|
|
pamd:
|
|
name: sshd
|
|
type: session
|
|
control: optional
|
|
module_path: pam_motd.so
|
|
state: absent
|
|
when:
|
|
- ssh_server_hardening | bool
|
|
- ssh_pam_support | bool
|
|
- not (ssh_print_motd | bool)
|
|
|
|
- name: create ssh_config and set permissions to root/644
|
|
template:
|
|
src: 'openssh.conf.j2'
|
|
dest: '/etc/ssh/ssh_config'
|
|
mode: '0644'
|
|
owner: '{{ ssh_owner }}'
|
|
group: '{{ ssh_group }}'
|
|
when: ssh_client_hardening | bool
|
|
|
|
- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
|
|
shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
|
|
register: sshd_register_moduli
|
|
changed_when: false
|
|
check_mode: no
|
|
when: ssh_server_hardening | bool
|
|
|
|
- name: remove all small primes
|
|
shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
|
|
[ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
|
|
notify: restart sshd
|
|
when:
|
|
- ssh_server_hardening | bool
|
|
- sshd_register_moduli.stdout
|
|
|
|
- name: include tasks to setup ca keys and principals
|
|
include_tasks: ca_keys_and_principals.yml
|
|
when: ssh_trusted_user_ca_keys_file | length > 0
|
|
|
|
- name: include selinux specific tasks
|
|
include_tasks: selinux.yml
|
|
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
|