115 lines
3.3 KiB
YAML
115 lines
3.3 KiB
YAML
---
|
|
- name: set OS dependent variables
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
|
|
- '{{ ansible_facts.distribution }}.yml'
|
|
- '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
|
|
- '{{ ansible_facts.os_family }}.yml'
|
|
|
|
- name: get openssh-version
|
|
command: ssh -V
|
|
register: sshd_version_raw
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: parse openssh-version
|
|
set_fact:
|
|
sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
|
|
|
|
- name: set default for ssh_host_key_files if not supplied
|
|
include_tasks: crypto_hostkeys.yml
|
|
when: not ssh_host_key_files
|
|
|
|
- name: set default for ssh_macs if not supplied
|
|
include_tasks: crypto_macs.yml
|
|
when: not ssh_macs
|
|
|
|
- name: set default for ssh_ciphers if not supplied
|
|
include_tasks: crypto_ciphers.yml
|
|
when: not ssh_ciphers
|
|
|
|
- name: set default for ssh_kex if not supplied
|
|
include_tasks: crypto_kex.yml
|
|
when: not ssh_kex
|
|
|
|
- name: create revoked_keys and set permissions to root/600
|
|
template:
|
|
src: 'revoked_keys.j2'
|
|
dest: '/etc/ssh/revoked_keys'
|
|
mode: '0600'
|
|
owner: '{{ ssh_owner }}'
|
|
group: '{{ ssh_group }}'
|
|
notify: restart sshd
|
|
when: ssh_server_hardening | bool
|
|
|
|
- name: create sshd_config and set permissions to root/600
|
|
template:
|
|
src: 'opensshd.conf.j2'
|
|
dest: '/etc/ssh/sshd_config'
|
|
mode: '0600'
|
|
owner: '{{ ssh_owner }}'
|
|
group: '{{ ssh_group }}'
|
|
validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
|
|
notify: restart sshd
|
|
when: ssh_server_hardening | bool
|
|
|
|
- name: disable dynamic MOTD
|
|
pamd:
|
|
name: sshd
|
|
type: session
|
|
control: optional
|
|
module_path: pam_motd.so
|
|
state: absent
|
|
backup: yes
|
|
when:
|
|
- ssh_server_hardening | bool
|
|
- ssh_pam_support | bool
|
|
- not (ssh_print_pam_motd | bool)
|
|
|
|
- name: create ssh_config and set permissions to root/644
|
|
template:
|
|
src: 'openssh.conf.j2'
|
|
dest: '/etc/ssh/ssh_config'
|
|
mode: '0644'
|
|
owner: '{{ ssh_owner }}'
|
|
group: '{{ ssh_group }}'
|
|
when: ssh_client_hardening | bool
|
|
|
|
- name: check if {{ sshd_moduli_file }} contains weak DH parameters
|
|
shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
|
|
register: sshd_register_moduli
|
|
changed_when: false
|
|
check_mode: no
|
|
when: ssh_server_hardening | bool
|
|
|
|
- name: remove all small primes
|
|
shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
|
|
[ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
|
|
notify: restart sshd
|
|
when:
|
|
- ssh_server_hardening | bool
|
|
- sshd_register_moduli.stdout
|
|
|
|
- name: include tasks to setup ca keys and principals
|
|
include_tasks: ca_keys_and_principals.yml
|
|
when: ssh_trusted_user_ca_keys_file | length > 0
|
|
|
|
- name: include selinux specific tasks
|
|
include_tasks: selinux.yml
|
|
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
|
|
|
|
- name: gather package facts
|
|
package_facts:
|
|
check_mode: no
|
|
when:
|
|
- sshd_disable_crypto_policy | bool
|
|
|
|
- name: disable SSH server CRYPTO_POLICY
|
|
copy:
|
|
src: sshd
|
|
dest: /etc/sysconfig/sshd
|
|
when:
|
|
- sshd_disable_crypto_policy | bool
|
|
- ('crypto-policies' in ansible_facts.packages)
|