public-health-ch/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md

Changelog

9.7.0 (2020-08-09)

Full Changelog

Implemented enhancements:

• add separate option for controlling motd via pam #320 (schurzi)

9.6.0 (2020-07-28)

Full Changelog

Implemented enhancements:

• add SmartOS support #294 (aqw)

Fixed bugs:

• fix local kitchen tests #318 (schurzi)
• fix sftp_umask; store as literal not octal #317 (aqw)

Closed issues:

• Make SSH banner path configurable #315

9.5.0 (2020-07-27)

Full Changelog

Implemented enhancements:

• add ssh_banner_path variable #316 (liteua)
• rework CRYPTO_POLICY handling for fedora #314 (schurzi)

Fixed bugs:

• network_ipv6_enable: true not working #311

Closed issues:

• RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh*.config #275

Merged pull requests:

• improve testing in kitchen and travis #313 (schurzi)

9.4.0 (2020-07-21)

Full Changelog

Implemented enhancements:

• Add CentOS 8 support for ansible-ssh-hardening #247
• adding specific things for IPv6 support #312 (altf4arnold)
• add support for CentOS8 #309 (schurzi)
• README: New section on server port and idempotency #307 (nununo)

Fixed bugs:

• CBC Ciphers should be disabled by default. #308

Closed issues:

• Idempotency when changing sshd ports #299
• Simplify crypto.yml checks with blocks #256
• Possibility for customising host key algorithms? #243

9.3.0 (2020-07-09)

Full Changelog

Implemented enhancements:

• Add support for X11 configuration #297
• add blocks to crypto.yml checks #305 (schurzi)
• fix typo in hardening.yml #304 (schurzi)
• allow customization of X11Forwarding #300 (divialth)

Fixed bugs:

• fix package install in tests #301 (rndmh3ro)

Closed issues:

• Typo in hardening.yml #303
• Task create sshd_config and set permissions fails #302

9.2.0 (2020-06-25)

Full Changelog

Implemented enhancements:

• Add RHEL 8 Support #261
• Add option to create 'LocalPort' match blocks #295 (aisbergg)
• Add archlinux support #291 (djesionek)
• Harmonize style #290 (aisbergg)

Merged pull requests:

• add centos 8 to meta #298 (rndmh3ro)

9.1.1 (2020-06-06)

Full Changelog

Implemented enhancements:

• unify changelog and release actions #289 (rndmh3ro)

Fixed bugs:

• AllowTCPForwarding set to no although I have ssh\_allow\_tcp\_forwarding: yes #286
• ssh\_allow\_tcp\_forwarding: use quotes for values #288 (jeanmonet)

9.1.0 (2020-06-02)

Full Changelog

Implemented enhancements:

• allow customization of login gracetime and max sessins #287 (chris-rock)

9.0.0 (2020-05-18)

Full Changelog

Breaking changes:

• make ssh client-side compression configurable #284 (aqw)

Fixed bugs:

• Disable Ubuntu dynamic login MOTD #271

Closed issues:

• Ubuntu disable dynamic MOTD failing #283

8.1.0 (2020-05-09)

Full Changelog

Implemented enhancements:

• add changelog and release workflow #282 (rndmh3ro)
• fix: Ansible part of Fedora build #281 (kostasns)
• Add changelog action #280 (rndmh3ro)
• fix: Amazon linux build #279 (kostasns)
• feat: Allow to set custom list of HostKeyAlgorithms #278 (kostasns)
• fix(ansible_facts): replace few remaining facts from 'ansible_' to using 'ansible_facts' dictionary #277 (kostasns)

8.0.0 (2020-04-21)

Full Changelog

Implemented enhancements:

• Remove dependency on bash #265
• Possibility to use other value than yes/no for AllowTCPforwarding #255
• Add support for Debian Buster in ansible-ssh-hardening #248
• Some options not configurable via the role #239
• PermitUserEnvironment should not be conflated with AcceptEnv #232
• Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
• Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
• Removing 2fa #269 (dennisse)
• Renaming Ansible variables discovered from systems #268 (PovilasGT)
• Do not use bash to get ssh version #266 (kljensen)
• Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
• Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
• SFTP: set default umask to 0027 #252 (Slamdunk)
• Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
• Feature: Debian 10 Buster support #249 (jaredledvina)
• fix broken packages, extend README with furhter development instructions #246 (szEvEz)
• refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
• RHEL/OL/CentOS 8 support #242 (Furragen)
• Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)

Fixed bugs:

• HostKey comment "# Req 20" breaks key based auth #262
• SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
• Google 2fa authentication problem #170
• vars: remove empty main.yml file #274 (paulfantom)
• Only manage moduli when hardening server #267 (jbronn)
• Remove comment from sshd config HostKey param #263 (abtreece)

7.0.0 (2019-09-15)

Full Changelog

Implemented enhancements:

• Add new option ssh_server_match_address #230
• set UsePAM to yes by default #233 (rndmh3ro)

Fixed bugs:

• Unable to connect after applying the role Ubuntu 18.04, AWS EC2 #229

Closed issues:

• Can't connect to new instance created from hardened image #189

Merged pull requests:

• changed string comparison to version comparison #234 (gobind-singh)

6.2.0 (2019-08-05)

Full Changelog

Implemented enhancements:

• added support for ssh\_server\_match\_address \#230 #231 (MatthiasLohr)

6.1.3 (2019-06-09)

Full Changelog

Implemented enhancements:

• Fix squash_actions deprecation in test playbooks #228 (Normo)
• Fix deprecation warnings in Ansible 2.8 #227 (Normo)

Fixed bugs:

• deprecation warnings in Ansible 2.8 #226

6.1.2 (2019-05-17)

Full Changelog

Fixed bugs:

• sshd_custom_options used in ssh_config generation #224

Merged pull requests:

• use correct variable ssh_custom_options in ssh_config template #225 (rndmh3ro)

6.1.1 (2019-05-07)

Full Changelog

Fixed bugs:

• Missing indent for ChrootDirectory in Match Group sftponly #221

Merged pull requests:

• fix indentation for matches #222 (rndmh3ro)

6.1.0 (2019-05-04)

Full Changelog

Implemented enhancements:

• PermitRootLogin yes #190
• Match Group' in configuration but 'user' not in connection test specification #188
• Allow custom values #175
• use selinux fact to check if selinux is used #220 (rndmh3ro)
• Remove eol os and add fedora #218 (rndmh3ro)
• document and move custom variables #217 (rndmh3ro)
• fix: allow other ssh ports using selinux #214 (guilieb)
• Make ansible-lint happy #204 (alexclear)
• Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups #203 (alexclear)
• enable ssh 7.7p1 support #202 (rndmh3ro)
• Removed DEPRECATION WARNING for apt, using list instead of with_items #201 (jonaswre)

Fixed bugs:

• Using more than one rule in a Group or User Match block? #207
• fix multiple match rules not working #207 #208 (rndmh3ro)

6.0.0 (2018-11-18)

Full Changelog

Implemented enhancements:

• Ubuntu 18.04 support #182
• Update opensshd.conf.js #196 (ikr0m)

Fixed bugs:

• GSSAPI support broken. Can't be enabled. #192
• Unsupported option "rhostsrsaauthentication" "rsaauthentication" #184
• Weak kex are controlled by wrong variable ? #174
• Can't connect to server by SSH after applying this role #115

Closed issues:

• Support StreamLocalBindUnlink #197
• Add molecule testing #183

Merged pull requests:

• Support for custom configuration #199 (MatthiasLohr)
• parameterize PermitRootLogin #195 (rndmh3ro)
• set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true' #194 (szEvEz)
• Use ansible version compare module #187 (BentoumiTech)
• add ubuntu 18.04 support #186 (rndmh3ro)

5.0.0 (2018-09-16)

Full Changelog

Implemented enhancements:

• Fixing the broken Ansible dependency mechanism #176
• Include new baseline-tests #161
• GlobalKnownHostsFile missing from ssh_config #155
• Options not compatible with OpenSSH server 7.6 #151
• Kitchen travis #180 (rndmh3ro)
• update config of kex, macs, ciphers #179 (rndmh3ro)
• add debian 9 and a comment #178 (rndmh3ro)
• Dependency flag #177 (jcheroske)
• Travis #173 (rndmh3ro)
• OpenBSD Support #171 (jbronn)
• Implement disabling chroot for sftp #166 (towo)
• New tests #163 (rndmh3ro)
• yaml-lint update, refactor tasks #162 (rndmh3ro)
• Handle a few deprecated OpenSSH options #160 (ageis)
• Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. #157 (gdelafond)
• Adds sshd config for keyboard-interactive pam device #156 (rcII)
• Use package state 'present' since 'installed' is deprecated #154 (Normo)
• conform to current dev-sec/ssh-baseline #150 (alval5280)
• new parameter: ssh_max_startups #149 (aeschbacher)
• Update syntax to 2.4 #148 (thomasjpfan)
• Amazonlinux-Testing #147 (rndmh3ro)
• Fixed trailing whitespace #146 (zbrojny120)
• Add support for Amazon Linux #145 (woneill)

Fixed bugs:

• ssh_server_weak_kex variable is not used any where #167
• opensshd.conf.j2 template type error #159
• line 56: Bad SSH2 mac spec #135

Closed issues:

• Travis & Debian 9 "Stretch" #158

Merged pull requests:

• remove oracle7 from travis tests for the time being #181 (rndmh3ro)

4.4.0 (2017-12-29)

Full Changelog

Implemented enhancements:

• Changes in selinux section to avoid confusion and some inconsistencies #127
• Issue #137: Fix sshd_config's "Match Group sftponly" #138 (kekumu)
• allow configuration of GatewayPorts #136 (pwyliu)
• Added support for AuthorizedKeysFile config setting #132 (hyrsky)
• corrected comments explaining the task's behaviour #131 (martinbydefault)
• Feature/2fa auth #123 (lazzurs)

Fixed bugs:

• ssh_use_dns used twice in defaults/main.yml #129

Closed issues:

• coreos support? #142
• UseLogin is deprecated on CentOS 7 #140
• sftp Match Group settings overriding global sshd_config settings #137
• get openssh-version fails on FreeBSD with ansible 2.4.0.0 #133

Merged pull requests:

• Remove deprecated UseLogin option #141 (syhe)
• Macs kex ciphers #139 (rndmh3ro)
• force /bin/sh when getting openssh-version #134 (gtz42)

4.3.1 (2017-08-14)

Full Changelog

Implemented enhancements:

• Remove duplicate ssh_use_dns #130 (MagnusEnger)

Fixed bugs:

• System completely unresponsive after role execution #126

Closed issues:

• role creates duplicate parameter/values after run #124

4.3.0 (2017-08-03)

Full Changelog

Implemented enhancements:

• Fix ansible.cfg settings #122 (fazlearefin)
• Finish 94 #116 (rndmh3ro)

Merged pull requests:

• Don't overwrite ssh_host_key_files if set manually #125 (oakey-b1)
• Add comment filter to {{ansible_managed}} string #121 (fazlearefin)

4.2.0 (2017-06-30)

Full Changelog

4.1.3 (2017-06-30)

Full Changelog

Implemented enhancements:

• Add support to specify a list of revoked public keys #120 (bachp)
• use package instead of yum so the operation works on Fedora #119 (stenwt)

Fixed bugs:

• fails in --check mode #111

Merged pull requests:

• Do not use shell when not needed + Lint whitespaces #118 (krhubert)

4.1.2 (2017-05-31)

Full Changelog

Implemented enhancements:

• added check_mode: no to "get openssh-version" task, so it won't fail … #117 (wschaft)

Fixed bugs:

• User login failed after running this module #114

Closed issues:

• Update readme to include baselines #110

4.1.1 (2017-05-18)

Full Changelog

Implemented enhancements:

• fix validation error #113 (pwyliu)

4.1.0 (2017-05-09)

Full Changelog

Implemented enhancements:

• Provide option to allow password server login #106
• Deprecation warning always_run #82
• Added support for UseDNS config switch #109 (ftaeger)
• Added support for UseDNS config switch #108 (ftaeger)

Fixed bugs:

• create ssh\_config and set permissions to root/644 step repeated #104

Merged pull requests:

• Added support for PermitTunnel config switch #112 (fti7)
• Adds option to enable password based authentication on the server #107 (colin-nolan)

4.0.0 (2017-04-22)

Full Changelog

Implemented enhancements:

• Avoid small primes for DH and allow rebuild of DH primes #89
• Accommodate missing plugins in kitchen_vagrant_block.rb #100 (fullyint)
• Use different Hostkeys according to installed ssh version #99 (rndmh3ro)
• Remove small dh primes #97 (rndmh3ro)
• Add Ed25519 SSH host key to match commit 28b4df3 in ssh-baseline #96 (techraf)
• Add support for FreeBSD OpenSSH server and client #95 (jbenden)
• Replace deprecated always_run with check_mode #93 (jbenden)
• Defaults: Remove DSA from SSH host keys to match ssh-baseline profile #92 (techraf)
• use new docker images #91 (rndmh3ro)
• use centos 7 in vagrant, limit ssh conns #88 (rndmh3ro)
• remove support for ansible 1.9 #87 (rndmh3ro)
• make ChallengeResponseAuthentication configurable #85 (rndmh3ro)
• List only one Port in ssh config #84 (fullyint)
• Fix ssh config to handle custom options per Host #83 (fullyint)

Fixed bugs:

• SELinux-specific task still runs on SELinux-disabled systems #74

Closed issues:

• Should compression be opt-in? #90
• The role fails when conditionally included #86

Merged pull requests:

• remove duplicate section #105 (rndmh3ro)
• Fix ssh_server_ports and ssh_client_ports documentation bug #80 (kivilahtio)

3.2.0 (2016-10-24)

Full Changelog

Implemented enhancements:

• CentOS 7 selinux dependencies #76
• Parameterise Banner and DebianBanner as defaults #77 (tsenart)

Fixed bugs:

• Some tasks are always run even if they are not needed #78
• Selinux issue #75
• Running the tests locally #61

Closed issues:

• Applied-Crypto-Hardening project and new cyphers. #28

3.1.0 (2016-08-03)

Full Changelog

Implemented enhancements:

• use new ciphers, kex, macs and privilege separation for redhat family 7 or later #72

3.1 (2016-08-03)

Full Changelog

Implemented enhancements:

• Add Xenial / Ubuntu 16.04 LTS to meta/main.yml #63
• install selinux dependencies, check for already installed semodule #79 (rndmh3ro)
• Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 #73 (atomic111)
• add docker support #71 (rndmh3ro)
• add always_run: true to task. fix #64 #69 (rndmh3ro)
• Debian8 #68 (rndmh3ro)
• Fixed KexAlgorithms Conditional Statement #66 (cjsheets)
• Moves vars to defaults #60 (conorsch)

Fixed bugs:

• semodule ssh_password error on AWS Centos 7 #64

Closed issues:

• ssh\_server\_ports a bit misleading in the vars section? #62
• sftp_enabled: false will break Ansible's template module #55
• Move cipher/kex/mac vars to defaults #53

Merged pull requests:

• Add SCP/SFTP to FAQ #58 (rndmh3ro)

3.0.0 (2016-03-13)

Full Changelog

Implemented enhancements:

• Added sftp_enabled, sftp_chroot_dir, and ssh_client_roaming from the … #57 (ghost)
• add test support for ansible 1.9 and 2.0 #56 (rndmh3ro)
• update platforms in meta-file #52 (rndmh3ro)
• add webhook for ansible galaxy #51 (rndmh3ro)
• Disable experimental client roaming. #49 (rndmh3ro)
• use inspec as test framework #48 (chris-rock)
• Change categories to tags for upcoming ansible 2.0 #47 (rndmh3ro)
• add changelog generator #46 (chris-rock)

Closed issues:

• Install from ansible galaxy missing files tasks #50
• should generate new ssh host key files #45

Merged pull requests:

• New release 3.0.0 #59 (rndmh3ro)

2.0.0 (2015-11-28)

Full Changelog

Closed issues:

• Fix directory structure. #43

Merged pull requests:

• New dir layout. Fix #43 #44 (rndmh3ro)
• Add var to travis job #42 (rndmh3ro)
• sftp_enable option #41 (fitz123)

1.2.1 (2015-10-16)

Full Changelog

Merged pull requests:

• Allow whitelisted groups on ssh #40 (fheinle)

1.2.0 (2015-09-28)

Full Changelog

1.2 (2015-09-28)

Full Changelog

Merged pull requests:

• bugfix. Now option true for PrintLastLog is available again #39 (fitz123)
• Add more travis-tests #38 (rndmh3ro)
• Support for selinux and pam. fix #23 #35 (rndmh3ro)

1.1.0 (2015-09-01)

Full Changelog

1.1 (2015-09-01)

Full Changelog

Closed issues:

• ssh_ports - individual client/server config #33
• UsePAM should probably default to yes on Red Hat Linux 7 #23

Merged pull requests:

• Change variable for hmac from server to client #37 (rndmh3ro)
• Update kitchen-ansible, remove separate debian install #36 (rndmh3ro)
• Separate ssh client and server ports. Fix #33 #34 (rndmh3ro)
• update common kitchen.yml platforms ansible, kitchen_debian.yml platforms ansible #32 (chris-rock)
• Make MaxAuthTries configurable #31 (rndmh3ro)
• Change oneliner if-statements to be more readable #30 (rndmh3ro)
• Make ssh client password login configurable. #29 (ypid)
• Fix join-filter, jinja-cases, intendation #27 (rndmh3ro)
• Short role review. Fixed role when ssh_client_weak_kex == true. #26 (ypid)
• Make it configurable to only harden ssh client/server or both default. #25 (ypid)
• Separate system-vars from editable vars #24 (rndmh3ro)
• Add correct CONTRIB-file #22 (rndmh3ro)
• Add Ansible Galaxy badge #21 (rndmh3ro)
• fix configuration of playbook path #20 (chris-rock)
• Debian install script #19 (rndmh3ro)

1.0.0 (2015-04-30)

Full Changelog

Implemented enhancements:

• Update variable-documentation #12 (rndmh3ro)

Closed issues:

• add travis test for ubuntu 12.04 #7
• Use handler for sshd restart #6
• Running test-kitchen fails #2

Merged pull requests:

• add self as author #18 (chris-rock)
• add badges #17 (chris-rock)
• fix meta.yml #16 (chris-rock)
• add more information to changelog #15 (chris-rock)
• Add meta-information for Ansible Galaxy #14 (rndmh3ro)
• Update CHANGELOG.md #13 (rndmh3ro)
• Add handler to restart ssh only if necessary. Fix #6 #11 (rndmh3ro)
• add more descriptions #10 (chris-rock)
• add travis config for ansible #9 (chris-rock)
• update .kitchen.yml to find playbook role in tests #8 (chris-rock)
• Oracle support #5 (rndmh3ro)
• Remove custom Vagrantfile-reference. Fix #2 #4 (rndmh3ro)
• Remove custom Vagrantfile-reference. Fix #2 #3 (rndmh3ro)
• Fix missing gem #1 (chris-rock)

* This Changelog was automatically generated by github_changelog_generator