Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit a9353e1

Browse files
author
Sebastian Gumprich
committed
simplify macs, kex, ciphers
1 parent 5a96607 commit a9353e1

File tree

4 files changed

+104
-57
lines changed

4 files changed

+104
-57
lines changed

defaults/main.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,10 @@ ssh_server_permit_environment_vars: false
124124
ssh_ps53: 'yes'
125125
ssh_ps59: 'sandbox'
126126

127+
ssh_macs: []
128+
ssh_ciphers: []
129+
ssh_kex: []
130+
127131
ssh_macs_53_default:
128132
- hmac-ripemd160
129133
- hmac-sha1

tasks/crypto.yml

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
---
2+
3+
- name: set hostkeys according to openssh-version
4+
set_fact:
5+
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
6+
when: sshd_version.stdout >= '6.3' and not ssh_host_key_files
7+
8+
- name: set hostkeys according to openssh-version
9+
set_fact:
10+
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
11+
when: sshd_version.stdout >= '6.0' and not ssh_host_key_files
12+
13+
- name: set hostkeys according to openssh-version
14+
set_fact:
15+
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
16+
when: sshd_version.stdout >= '5.3' and not ssh_host_key_files
17+
18+
###
19+
20+
- name: set weak macs according to openssh-version if openssh >= 6.6
21+
set_fact:
22+
ssh_macs: "{{ssh_macs_66_weak}}"
23+
when: sshd_version.stdout >= '6.6' and ssh_server_weak_hmac and not ssh_macs
24+
25+
- name: set macs according to openssh-version if openssh >= 6.6
26+
set_fact:
27+
ssh_macs: "{{ssh_macs_66_default}}"
28+
when: sshd_version.stdout >= '6.6' and not ssh_macs
29+
30+
- name: set weak macs according to openssh-version
31+
set_fact:
32+
ssh_macs: "{{ssh_macs_59_weak}}"
33+
when: sshd_version.stdout >= '5.9' and ssh_server_weak_hmac and not ssh_macs
34+
35+
- name: set macs according to openssh-version
36+
set_fact:
37+
ssh_macs: "{{ssh_macs_59_default}}"
38+
when: sshd_version.stdout >= '5.9' and not ssh_macs
39+
40+
- name: set macs according to openssh-version
41+
set_fact:
42+
ssh_macs: "{{ssh_macs_53_default}}"
43+
when: sshd_version.stdout >= '5.3' and not ssh_macs
44+
45+
- name: set macs according to openssh-version
46+
set_fact:
47+
ssh_macs: "{{ssh_macs_53_default}}"
48+
when: sshd_version.stdout >= '5.3' and not ssh_macs
49+
50+
###
51+
52+
- name: set weak ciphers according to openssh-version if openssh >= 6.6
53+
set_fact:
54+
ssh_ciphers: "{{ssh_ciphers_66_weak}}"
55+
when: sshd_version.stdout >= '6.6' and ssh_server_cbc_required and not ssh_ciphers
56+
57+
- name: set ciphers according to openssh-version if openssh >= 6.6
58+
set_fact:
59+
ssh_ciphers: "{{ssh_ciphers_66_default}}"
60+
when: sshd_version.stdout >= '6.6' and not ssh_ciphers
61+
62+
- name: set weak ciphers according to openssh-version
63+
set_fact:
64+
ssh_ciphers: "{{ssh_ciphers_53_weak}}"
65+
when: sshd_version.stdout >= '5.3' and ssh_server_cbc_required and not ssh_ciphers
66+
67+
- name: set ciphers according to openssh-version
68+
set_fact:
69+
ssh_ciphers: "{{ssh_ciphers_53_default}}"
70+
when: sshd_version.stdout >= '5.3' and not ssh_ciphers
71+
72+
###
73+
74+
- name: set weak kex according to openssh-version if openssh >= 6.6
75+
set_fact:
76+
ssh_kex: "{{ssh_kex_66_weak}}"
77+
when: sshd_version.stdout >= '6.6' and ssh_server_weak_hmac and not ssh_kex
78+
79+
- name: set kex according to openssh-version if openssh >= 6.6
80+
set_fact:
81+
ssh_kex: "{{ssh_kex_66_default}}"
82+
when: sshd_version.stdout >= '6.6' and not ssh_kex
83+
84+
- name: set weak kex according to openssh-version
85+
set_fact:
86+
ssh_kex: "{{ssh_kex_59_weak}}"
87+
when: sshd_version.stdout >= '5.9' and ssh_server_weak_hmac and not ssh_kex
88+
89+
- name: set kex according to openssh-version
90+
set_fact:
91+
ssh_kex: "{{ssh_kex_59_default}}"
92+
when: sshd_version.stdout >= '5.9' and not ssh_kex
93+

tasks/main.yml

Lines changed: 1 addition & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -15,20 +15,7 @@
1515
register: sshd_version
1616
check_mode: no
1717

18-
- name: set hostkeys according to openssh-version
19-
set_fact:
20-
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
21-
when: sshd_version.stdout >= '6.3' and not ssh_host_key_files
22-
23-
- name: set hostkeys according to openssh-version
24-
set_fact:
25-
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
26-
when: sshd_version.stdout >= '6.0' and not ssh_host_key_files
27-
28-
- name: set hostkeys according to openssh-version
29-
set_fact:
30-
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
31-
when: sshd_version.stdout >= '5.3' and not ssh_host_key_files
18+
- include: crypto.yml
3219

3320
- name: create revoked_keys and set permissions to root/600
3421
template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"

templates/opensshd.conf.j2

Lines changed: 6 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -48,40 +48,15 @@ LogLevel VERBOSE
4848
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
4949
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
5050
#
51-
{% if ssh_server_cbc_required -%}
52-
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
53-
Ciphers {{ ssh_ciphers_66_weak | join(',') }}
54-
{% else %}
55-
Ciphers {{ ssh_ciphers_53_weak | join(',') }}
56-
{% endif %}
57-
{% else -%}
58-
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
59-
Ciphers {{ ssh_ciphers_66_default | join(',') }}
60-
{% else -%}
61-
Ciphers {{ ssh_ciphers_53_default | join(',') }}
62-
{% endif %}
63-
{% endif %}
51+
52+
{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }}
6453

6554
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
6655
# Weak HMAC is sometimes required if older package versions are used
6756
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
6857
#
6958

70-
{% if ssh_server_weak_hmac -%}
71-
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
72-
MACs {{ ssh_macs_66_weak | join(',') }}
73-
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
74-
MACs {{ ssh_macs_53_default | join(',') }}
75-
{% endif %}
76-
{% else -%}
77-
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
78-
MACs {{ ssh_macs_66_default | join(',') }}
79-
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
80-
MACs {{ ssh_macs_53_default | join(',') }}
81-
{% else -%}
82-
MACs {{ ssh_macs_59_default | join(',') }}
83-
{% endif %}
84-
{% endif %}
59+
{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }}
8560

8661
# Alternative setting, if OpenSSH version is below v5.9
8762
#MACs hmac-ripemd160
@@ -90,21 +65,8 @@ LogLevel VERBOSE
9065
# Weak kex is sometimes required if older package versions are used
9166
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
9267
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
93-
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version >= '7') or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11') -%}
94-
{% if ssh_server_weak_kex -%}
95-
KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
96-
{% else -%}
97-
KexAlgorithms {{ ssh_kex_66_default | join(',') }}
98-
{% endif %}
99-
{% else -%}
100-
{% if ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
101-
#KexAlgorithms
102-
{% elif ssh_server_weak_kex -%}
103-
KexAlgorithms {{ sshd_kex_59_weak | join(',') }}
104-
{% else -%}
105-
KexAlgorithms {{ ssh_kex_59_default | join(',') }}
106-
{% endif %}
107-
{% endif %}
68+
69+
{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }}
10870

10971
# Authentication
11072
# --------------
@@ -275,3 +237,4 @@ Match User {{ item.user }}
275237
{{ item.rules | indent(4) }}
276238
{% endfor %}
277239
{% endif %}
240+

0 commit comments

Comments
 (0)