From 8d38b47ae90d3ba3270b7c868766c08f432162b9 Mon Sep 17 00:00:00 2001 From: Jonathan Freedman Date: Thu, 27 Aug 2020 09:19:04 -0700 Subject: [PATCH 1/5] more layered/nuanced openssh configs --- defaults/main.yml | 90 +------------------------------- meta/main.yml | 2 +- tasks/main.yml | 37 ++++++++++--- templates/etc_ssh_ssh_config.j2 | 5 +- templates/etc_ssh_sshd_config.j2 | 2 +- vars/bionic.yml | 10 ++++ vars/main.yml | 85 ++++++++++++++++++++++++++++++ vars/xenial.yml | 4 ++ 8 files changed, 137 insertions(+), 98 deletions(-) create mode 100644 vars/bionic.yml create mode 100644 vars/xenial.yml diff --git a/defaults/main.yml b/defaults/main.yml index 46c257e..d4477b4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,90 +1,4 @@ --- -openssh_client_settings: - Host: "*" - Port: "22" - Protocol: "2,1" - AddressFamily: "any" - ForwardAgent: "no" - ForwardX11: "no" - ForwardX11Timeout: "300" - ForwardX11Trusted: "no" - RhostsRSAAuthentication: "no" - RSAAuthentication: "no" - PasswordAuthentication: "yes" - HostbasedAuthentication: "no" - GSSAPIAuthentication: "no" - GSSAPIDelegateCredentials: "no" - GSSAPIKeyExchange: "no" - GSSAPITrustDNS: "no" - BatchMode: "no" - CheckHostIP: "yes" - ConnectTimeout: "30" - StrictHostKeyChecking: "ask" - Cipher: "aes256-cbc" - MACs: "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160" - EscapeChar: "~" - Tunnel: "no" - TunnelDevice: "any:any" - PermitLocalCommand: "no" - VisualHostKey: "no" - ChallengeResponseAuthentication: "yes" - Compression: "no" - CompressionLevel: "4" - ConnectionAttempts: "1" - ExitOnForwardFailure: "no" - GatewayPorts: "no" - UsePrivilegedPort: "no" - TCPKeepAlive: "no" +openssh_client_settings: {} -openssh_server_settings: - Port: "22" - AddressFamily: "any" - Protocol: "2" - UsePrivilegeSeparation: "yes" - KeyRegenerationInterval: "3600" - ServerKeyBits: "1024" - SyslogFacility: "AUTH" - LogLevel: "INFO" - LoginGraceTime: "120" - PermitRootLogin: "no" - StrictModes: "yes" - MaxAuthTries: "6" - MaxSessions: "10" - RSAAuthentication: "yes" - PubkeyAuthentication: "yes" - AuthorizedKeysFile: "%h/.ssh/authorized_keys" - IgnoreRhosts: "yes" - RhostsRSAAuthentication: "no" - HostbasedAuthentication: "no" - IgnoreUserKnownHosts: "no" - PermitEmptyPasswords: "no" - ChallengeResponseAuthentication: "no" - PasswordAuthentication: "no" - KerberosAuthentication: "no" - KerberosOrLocalPasswd: "yes" - KerberosTicketCleanup: "yes" - GSSAPIAuthentication: "no" - GSSAPICleanupCredentials: "yes" - X11Forwarding: "yes" - X11DisplayOffset: "10" - X11UseLocalhost: "yes" - PrintMotd: "no" - PrintLastLog: "yes" - TCPKeepAlive: "yes" - UseLogin: "no" - MaxStartups: "10:30:100" - Banner: "none" - AcceptEnv: "LANG LC_*" - Subsystem: "sftp /usr/lib/openssh/sftp-server" - UsePAM: "yes" - UseDNS: "no" - AllowAgentForwarding: "yes" - AllowTcpForwarding: "yes" - GatewayPorts: "no" - ClientAliveInterval: "1750" - ClientAliveCountMax: "0" - PermitUserEnvironment: "no" - Compression: "delayed" - PidFile: "/var/run/sshd.pid" - PermitTunnel: "no" - ChrootDirectory: "none" +openssh_server_settings: {} diff --git a/meta/main.yml b/meta/main.yml index 0c2fa97..4e8a7aa 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: author: pjan vandaele company: ANXS description: "Install and configure openssh" - min_ansible_version: 2.3 + min_ansible_version: 2.7 license: MIT platforms: - name: Ubuntu diff --git a/tasks/main.yml b/tasks/main.yml index 4cc7ef7..4f27a11 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,10 +1,35 @@ --- -- name: OpenSSH | Make sure server and client packages are installed +- name: "default dist is xenial" + set_fact: + openssh_dist_config: "{{openssh_dist_default}}" + +- name: "check for dist overrides" + stat: + path: "{{role_path}}/vars/{{ansible_distribution_release|lower}}.yml" + connection: local + delegate_to: localhost + register: openssh_dist_override + become: false + +- name: "override dist config" + set_fact: + openssh_dist_config: "{{ansible_distribution_release|lower}}" + when: openssh_dist_override.stat.exists + +- name: "include dist overrides" + include_vars: "{{openssh_dist_config}}.yml" + +- name: "Make sure server and client packages are installed" apt: pkg: "{{openssh_deps}}" state: present -- name: OpenSSH | Configure OpenSSH Client +- name: "Set configuration with overrides" + set_fact: + openssh_client_config: "{{openssh_client_default|combine(openssh_client_dist|default({}))|combine(openssh_client_settings)}}" + openssh_server_config: "{{openssh_server_default|combine(openssh_server_dist|default({}))|combine(openssh_server_settings)}}" + +- name: "Configure OpenSSH Client" template: src: etc_ssh_ssh_config.j2 dest: /etc/ssh/ssh_config @@ -12,7 +37,7 @@ group: root mode: 0644 -- name: OpenSSH | Configure OpenSSH Server +- name: "Configure OpenSSH Server" template: src: etc_ssh_sshd_config.j2 dest: /etc/ssh/sshd_config @@ -22,16 +47,16 @@ notify: - restart ssh -- name: OpenSSH | Determine if previously generated host keys +- name: "Determine if previously generated host keys" stat: path: "{{openssh_hostkey_file}}" register: anxs_openssh_hostkeys -- name: OpenSSH | Ensure all host keys are generated +- name: "Ensure all host keys are generated" command: ssh-keygen -A when: not anxs_openssh_hostkeys.stat.exists -- name: OpenSSH | Remember we generated host keys +- name: "Remember we generated host keys" file: dest: "{{openssh_hostkey_file}}" state: touch diff --git a/templates/etc_ssh_ssh_config.j2 b/templates/etc_ssh_ssh_config.j2 index 869f9fc..1224173 100644 --- a/templates/etc_ssh_ssh_config.j2 +++ b/templates/etc_ssh_ssh_config.j2 @@ -1,3 +1,4 @@ -{% for key, value in openssh_client_settings.iteritems() %} -{{key|e}} {{value|e}} +Host * +{% for key, value in openssh_client_config.iteritems() %} +{{' '}}{{key|e}} {{value|e}} {% endfor %} diff --git a/templates/etc_ssh_sshd_config.j2 b/templates/etc_ssh_sshd_config.j2 index 775493e..db18d96 100644 --- a/templates/etc_ssh_sshd_config.j2 +++ b/templates/etc_ssh_sshd_config.j2 @@ -1,3 +1,3 @@ -{% for key, value in openssh_server_settings.iteritems() %} +{% for key, value in openssh_server_config.iteritems() %} {{key|e}} {{value|e}} {% endfor %} diff --git a/vars/bionic.yml b/vars/bionic.yml new file mode 100644 index 0000000..5659a37 --- /dev/null +++ b/vars/bionic.yml @@ -0,0 +1,10 @@ +--- +openssh_client_dist: + Cipher: "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc" + +openssh_server_dist: + RekeyLimit: "default none" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" + KerberosGetAFSToken: "no" diff --git a/vars/main.yml b/vars/main.yml index c52ac6d..892e5bc 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,90 @@ --- +openssh_dist_default: "xenial" openssh_deps: - openssh-client - openssh-server openssh_hostkey_file: /var/run/anxs-openssh-hostkeys + +openssh_client_default: + Port: "22" + Protocol: "2" + AddressFamily: "any" + ForwardAgent: "no" + ForwardX11: "no" + ForwardX11Timeout: "300" + ForwardX11Trusted: "no" + PasswordAuthentication: "yes" + HostbasedAuthentication: "no" + GSSAPIAuthentication: "no" + GSSAPIDelegateCredentials: "no" + GSSAPIKeyExchange: "no" + GSSAPITrustDNS: "no" + BatchMode: "no" + CheckHostIP: "yes" + ConnectTimeout: "30" + StrictHostKeyChecking: "ask" + MACs: "hmac-md5,hmac-sha1,umac-64@openssh.com" + EscapeChar: "~" + Tunnel: "no" + TunnelDevice: "any:any" + PermitLocalCommand: "no" + VisualHostKey: "no" + ChallengeResponseAuthentication: "yes" + Compression: "no" + ConnectionAttempts: "1" + ExitOnForwardFailure: "no" + GatewayPorts: "no" + UsePrivilegedPort: "no" + TCPKeepAlive: "no" + +openssh_server_default: + Port: "22" + AddressFamily: "any" + Protocol: "2" + UsePrivilegeSeparation: "yes" + KeyRegenerationInterval: "3600" + ServerKeyBits: "1024" + SyslogFacility: "AUTH" + LogLevel: "INFO" + LoginGraceTime: "120" + PermitRootLogin: "no" + StrictModes: "yes" + MaxAuthTries: "6" + MaxSessions: "10" + PubkeyAuthentication: "yes" + AuthorizedKeysFile: "%h/.ssh/authorized_keys" + IgnoreRhosts: "yes" + HostbasedAuthentication: "no" + IgnoreUserKnownHosts: "no" + PermitEmptyPasswords: "no" + ChallengeResponseAuthentication: "no" + PasswordAuthentication: "no" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" + GSSAPIAuthentication: "no" + GSSAPICleanupCredentials: "yes" + X11Forwarding: "yes" + X11DisplayOffset: "10" + X11UseLocalhost: "yes" + PrintMotd: "no" + PrintLastLog: "yes" + TCPKeepAlive: "yes" + UseLogin: "no" + MaxStartups: "10:30:100" + Banner: "none" + AcceptEnv: "LANG LC_*" + Subsystem: "sftp /usr/lib/openssh/sftp-server" + UsePAM: "yes" + UseDNS: "no" + AllowAgentForwarding: "yes" + AllowTcpForwarding: "yes" + GatewayPorts: "no" + ClientAliveInterval: "1750" + ClientAliveCountMax: "0" + PermitUserEnvironment: "no" + Compression: "delayed" + PidFile: "/var/run/sshd.pid" + PermitTunnel: "no" + ChrootDirectory: "none" + diff --git a/vars/xenial.yml b/vars/xenial.yml new file mode 100644 index 0000000..ffd487c --- /dev/null +++ b/vars/xenial.yml @@ -0,0 +1,4 @@ +--- +openssh_client_dist: + Cipher: "aes256-cbc" + RSAAuthentication: "yes" From 317a11c99f8156997ef963f503b3926f620fd759 Mon Sep 17 00:00:00 2001 From: Jonathan Freedman Date: Sun, 21 Feb 2021 17:18:18 -0800 Subject: [PATCH 2/5] updating the ssh role a bit --- templates/etc_ssh_ssh_config.j2 | 2 +- templates/etc_ssh_sshd_config.j2 | 2 +- vagrant/roles/openssh | 1 - vars/bionic.yml | 1 - vars/focal.yml | 7 +++++++ vars/main.yml | 4 ---- vars/xenial.yml | 7 +++++++ 7 files changed, 16 insertions(+), 8 deletions(-) delete mode 120000 vagrant/roles/openssh create mode 100644 vars/focal.yml diff --git a/templates/etc_ssh_ssh_config.j2 b/templates/etc_ssh_ssh_config.j2 index 1224173..6309442 100644 --- a/templates/etc_ssh_ssh_config.j2 +++ b/templates/etc_ssh_ssh_config.j2 @@ -1,4 +1,4 @@ Host * -{% for key, value in openssh_client_config.iteritems() %} +{% for key, value in openssh_client_config.items() %} {{' '}}{{key|e}} {{value|e}} {% endfor %} diff --git a/templates/etc_ssh_sshd_config.j2 b/templates/etc_ssh_sshd_config.j2 index db18d96..4126fbe 100644 --- a/templates/etc_ssh_sshd_config.j2 +++ b/templates/etc_ssh_sshd_config.j2 @@ -1,3 +1,3 @@ -{% for key, value in openssh_server_config.iteritems() %} +{% for key, value in openssh_server_config.items() %} {{key|e}} {{value|e}} {% endfor %} diff --git a/vagrant/roles/openssh b/vagrant/roles/openssh deleted file mode 120000 index 6581736..0000000 --- a/vagrant/roles/openssh +++ /dev/null @@ -1 +0,0 @@ -../../ \ No newline at end of file diff --git a/vars/bionic.yml b/vars/bionic.yml index 5659a37..61b0b3a 100644 --- a/vars/bionic.yml +++ b/vars/bionic.yml @@ -7,4 +7,3 @@ openssh_server_dist: KerberosAuthentication: "no" KerberosOrLocalPasswd: "yes" KerberosTicketCleanup: "yes" - KerberosGetAFSToken: "no" diff --git a/vars/focal.yml b/vars/focal.yml new file mode 100644 index 0000000..e74f50f --- /dev/null +++ b/vars/focal.yml @@ -0,0 +1,7 @@ +--- +openssh_server_dist: + RekeyLimit: "default none" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" + KerberosGetAFSToken: "no" diff --git a/vars/main.yml b/vars/main.yml index 892e5bc..c7a0e77 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -41,9 +41,6 @@ openssh_server_default: Port: "22" AddressFamily: "any" Protocol: "2" - UsePrivilegeSeparation: "yes" - KeyRegenerationInterval: "3600" - ServerKeyBits: "1024" SyslogFacility: "AUTH" LogLevel: "INFO" LoginGraceTime: "120" @@ -70,7 +67,6 @@ openssh_server_default: PrintMotd: "no" PrintLastLog: "yes" TCPKeepAlive: "yes" - UseLogin: "no" MaxStartups: "10:30:100" Banner: "none" AcceptEnv: "LANG LC_*" diff --git a/vars/xenial.yml b/vars/xenial.yml index ffd487c..5ca91f9 100644 --- a/vars/xenial.yml +++ b/vars/xenial.yml @@ -2,3 +2,10 @@ openssh_client_dist: Cipher: "aes256-cbc" RSAAuthentication: "yes" + +openssh_server_dist: + UsePrivilegeSeparation: "yes" + KeyRegenerationInterval: "3600" + ServerKeyBits: "1024" + UseLogin: "no" + KerberosGetAFSToken: "no" From dcf6e063ef5d915cd3f89ac6f8ff75128ea62955 Mon Sep 17 00:00:00 2001 From: Jonathan Freedman Date: Mon, 21 Mar 2022 16:46:28 -0700 Subject: [PATCH 3/5] another one bites the dust --- vars/focal.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/vars/focal.yml b/vars/focal.yml index e74f50f..4c70b0f 100644 --- a/vars/focal.yml +++ b/vars/focal.yml @@ -4,4 +4,3 @@ openssh_server_dist: KerberosAuthentication: "no" KerberosOrLocalPasswd: "yes" KerberosTicketCleanup: "yes" - KerberosGetAFSToken: "no" From fa522dafb13eb4db1747c1c54e681e2ea2535d6a Mon Sep 17 00:00:00 2001 From: Jonathan Freedman Date: Wed, 30 Mar 2022 09:36:18 -0700 Subject: [PATCH 4/5] add a new os profile --- vars/buster.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 vars/buster.yml diff --git a/vars/buster.yml b/vars/buster.yml new file mode 100644 index 0000000..ffd487c --- /dev/null +++ b/vars/buster.yml @@ -0,0 +1,4 @@ +--- +openssh_client_dist: + Cipher: "aes256-cbc" + RSAAuthentication: "yes" From 0134c5193cd2959e4efd5ce7566b5b5f84043383 Mon Sep 17 00:00:00 2001 From: Jonathan Freedman Date: Thu, 11 May 2023 13:00:08 -0700 Subject: [PATCH 5/5] new year, new raspi --- vars/bullseye.yml | 6 ++++++ vars/main.yml | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 vars/bullseye.yml diff --git a/vars/bullseye.yml b/vars/bullseye.yml new file mode 100644 index 0000000..4c70b0f --- /dev/null +++ b/vars/bullseye.yml @@ -0,0 +1,6 @@ +--- +openssh_server_dist: + RekeyLimit: "default none" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" diff --git a/vars/main.yml b/vars/main.yml index c7a0e77..4a66b76 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -openssh_dist_default: "xenial" +openssh_dist_default: "focal" openssh_deps: - openssh-client - openssh-server @@ -83,4 +83,3 @@ openssh_server_default: PidFile: "/var/run/sshd.pid" PermitTunnel: "no" ChrootDirectory: "none" -