From 59314077b90a69fca24f93627b4398c4453841cc Mon Sep 17 00:00:00 2001 From: Martin Verges Date: Wed, 23 Oct 2019 15:52:21 +0200 Subject: [PATCH 1/3] add debian 10 (buster) support --- meta/main.yml | 2 ++ vars/Debian_10.yml | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 vars/Debian_10.yml diff --git a/meta/main.yml b/meta/main.yml index 6928384..d2d7b30 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -10,6 +10,8 @@ galaxy_info: versions: - wheezy - jessie + - stretch + - buster - name: Ubuntu versions: - precise diff --git a/vars/Debian_10.yml b/vars/Debian_10.yml new file mode 100644 index 0000000..df468ce --- /dev/null +++ b/vars/Debian_10.yml @@ -0,0 +1,32 @@ +--- +__sshd_service: ssh +__sshd_packages: + - openssh-server + - openssh-sftp-server +__sshd_config_mode: "0644" +__sshd_defaults: + Port: 22 + Protocol: 2 + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key + SyslogFacility: AUTH + LogLevel: INFO + LoginGraceTime: 120 + PermitRootLogin: without-password + StrictModes: yes + PubkeyAuthentication: yes + IgnoreRhosts: yes + HostbasedAuthentication: no + PermitEmptyPasswords: no + ChallengeResponseAuthentication: no + X11Forwarding: yes + X11DisplayOffset: 10 + PrintMotd: no + PrintLastLog: yes + TCPKeepAlive: yes + AcceptEnv: LANG LC_* + Subsystem: "sftp {{ sshd_sftp_server }}" + UsePAM: yes +__sshd_os_supported: yes From 1cbfc4e272ad0d45bf80cad10cffcbfc6b9c2a99 Mon Sep 17 00:00:00 2001 From: Martin Verges Date: Thu, 24 Oct 2019 13:44:43 +0200 Subject: [PATCH 2/3] on debian10 securely configure SSH by default verified configuration with 'ssh-audit' removed controversial keys removed insecure macs,keys,ciphers tested on Debian 10 Buster --- vars/Debian_10.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vars/Debian_10.yml b/vars/Debian_10.yml index df468ce..018baf4 100644 --- a/vars/Debian_10.yml +++ b/vars/Debian_10.yml @@ -9,8 +9,10 @@ __sshd_defaults: Protocol: 2 HostKey: - /etc/ssh/ssh_host_rsa_key - - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key + HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com + KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256 + MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com SyslogFacility: AUTH LogLevel: INFO LoginGraceTime: 120 @@ -30,3 +32,4 @@ __sshd_defaults: Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes + From fb530596cd389f4ff65668e27d28ce0b5fd1ae03 Mon Sep 17 00:00:00 2001 From: Martin Verges Date: Wed, 6 Nov 2019 20:36:36 +0100 Subject: [PATCH 3/3] clean up for ansible-lint --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index bee2e20..dab5dfb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -18,7 +18,7 @@ - name: Reload sshd Service (AIX) shell: | stopsrc -s sshd - until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done + until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done startsrc -s sshd listen: reload_sshd when: