140 lines
3.9 KiB
YAML
140 lines
3.9 KiB
YAML
---
|
|
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
|
|
hosts: localhost
|
|
pre_tasks:
|
|
- name: use python3
|
|
set_fact:
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
when: ansible_facts.distribution == 'Fedora'
|
|
|
|
- yum:
|
|
name:
|
|
- openssh-clients
|
|
- openssh-server
|
|
- libselinux-python
|
|
state: present
|
|
update_cache: true
|
|
ignore_errors: true
|
|
|
|
- dnf:
|
|
name:
|
|
- openssh-clients
|
|
- openssh-server
|
|
- procps-ng
|
|
state: present
|
|
update_cache: true
|
|
ignore_errors: true
|
|
|
|
- apt:
|
|
name:
|
|
- openssh-client
|
|
- openssh-server
|
|
state: present
|
|
update_cache: true
|
|
ignore_errors: true
|
|
|
|
- file:
|
|
path: "/var/run/sshd"
|
|
state: directory
|
|
|
|
- pacman:
|
|
name:
|
|
- "openssh"
|
|
- "awk"
|
|
state: present
|
|
update_cache: true
|
|
ignore_errors: true
|
|
|
|
- name: create ssh host keys
|
|
command: "ssh-keygen -A"
|
|
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
|
|
ansible_facts.distribution == "Fedora" or
|
|
ansible_facts.distribution == "Amazon"
|
|
|
|
roles:
|
|
- ansible-ssh-hardening
|
|
vars:
|
|
network_ipv6_enable: true
|
|
ssh_allow_tcp_forwarding: 'yes'
|
|
ssh_gateway_ports: true
|
|
ssh_allow_agent_forwarding: true
|
|
ssh_server_permit_environment_vars: 'yes'
|
|
ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
|
|
ssh_client_alive_interval: 100
|
|
ssh_client_alive_count: 10
|
|
ssh_client_password_login: true
|
|
ssh_challengeresponseauthentication: true
|
|
ssh_compression: true
|
|
ssh_allow_users: 'root kitchen vagrant'
|
|
ssh_allow_groups: 'root kitchen vagrant'
|
|
ssh_deny_users: 'foo bar'
|
|
ssh_deny_groups: 'foo bar'
|
|
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
|
|
ssh_max_auth_retries: 10
|
|
ssh_permit_root_login: "without-password"
|
|
ssh_permit_tunnel: true
|
|
ssh_print_motd: true
|
|
ssh_print_last_log: true
|
|
ssh_banner: true
|
|
ssh_server_password_login: true
|
|
sftp_enabled: true
|
|
sftp_chroot: true
|
|
#ssh_server_enabled: false
|
|
ssh_server_ports:
|
|
- 22
|
|
- 222
|
|
ssh_server_match_address:
|
|
- address: '192.168.1.1/24'
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_server_match_group:
|
|
- group: 'root'
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_server_match_user:
|
|
- user: 'root'
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_server_match_local_port:
|
|
- port: 222
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_remote_hosts:
|
|
- names: ['example.com', 'example2.com']
|
|
options: ['Port 2222', 'ForwardAgent yes']
|
|
- names: ['example3.com']
|
|
options: ['StrictHostKeyChecking no']
|
|
ssh_use_dns: true
|
|
ssh_use_pam: true
|
|
ssh_max_startups: '10:30:60'
|
|
ssh_trusted_user_ca_keys_file: '/etc/ssh/ca.pub'
|
|
ssh_trusted_user_ca_keys:
|
|
- '# ssh-rsa ...'
|
|
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
|
|
ssh_authorized_principals:
|
|
- { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
|
|
ssh_host_key_algorithms:
|
|
- ssh-ed25519
|
|
- rsa-sha2-512
|
|
- rsa-sha2-256
|
|
- ssh-rsa
|
|
ssh_macs:
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
ssh_ciphers:
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
- aes256-cbc
|
|
ssh_kex:
|
|
- diffie-hellman-group-exchange-sha256
|
|
- diffie-hellman-group-exchange-sha1
|
|
ssh_custom_options:
|
|
- "Include /etc/ssh/ssh_config.d/*"
|
|
sshd_custom_options:
|
|
- "AcceptEnv LANG"
|