Last active
January 4, 2024 19:52
-
-
Save cmavr8/eb4a9e596bd0e3e85f97d907de288c54 to your computer and use it in GitHub Desktop.
Secure SSH configuration ansible playbook. Last updated years ago, NOT recommended for use. There are better ways to do this today.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# SSH server settings, in line with https://stribika.github.io/2015/01/04/secure-secure-shell.html | |
# Before using, change myhosts to your hosts' nickname and myuser to your username (two instances! make sure you replace both or you'll be locked out of ssh!) | |
- hosts: myhosts | |
become: true | |
remote_user: myuser | |
tasks: | |
# Key exchange, ciphers and MACs | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^KexAlgorithms' line='KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256' | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^Ciphers' line='Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr' | |
# I have removed hmac-ripemd160 and [email protected] from the following line, as Mozilla's SSH guidelines are stricter and avoid using them. Just to be on the safe side. | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^MACs' line='MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]' | |
- name: Enable the most secure server auth algos and protocol version | |
lineinfile: dest=/etc/ssh/sshd_config regexp='^Protocol 2' line='Protocol 2' | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_ed25519_key' line='HostKey /etc/ssh/ssh_host_ed25519_key' | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_rsa_key' line='HostKey /etc/ssh/ssh_host_rsa_key' | |
- name: Disable bad ones | |
lineinfile: | |
dest: /etc/ssh/sshd_config | |
regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key' | |
state: absent | |
- lineinfile: | |
dest: /etc/ssh/sshd_config | |
regexp: '^HostKey /etc/ssh/ssh_host_dsa_key' | |
state: absent | |
- name: And remove the files | |
file: | |
dest: /etc/ssh/ssh_host_ecdsa_key.pub | |
state: absent | |
- file: | |
dest: /etc/ssh/ssh_host_ecdsa_key | |
state: absent | |
- file: | |
dest: /etc/ssh/ssh_host_dsa_key.pub | |
state: absent | |
- file: | |
dest: /etc/ssh/ssh_host_dsa_key | |
state: absent | |
- name: Password based logins are disabled - only public key based logins are allowed. | |
lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey' | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no' | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no' | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes' | |
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^LogLevel' line='LogLevel VERBOSE' | |
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^Subsystem sftp' line='Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO' | |
# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user | |
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. | |
# Additionally, only tools such as systemd and auditd record the process session id. | |
# On other OSes, the user session id is not necessarily recorded at all kernel-side. | |
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track. | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No' | |
# Use kernel sandbox mechanisms where possible in unprivileged processes | |
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^UsePrivilegeSeparation' line='UsePrivilegeSeparation sandbox' | |
# Only allow specific users to login remotely (may be more suitable to change this to AllowGroups). | |
- lineinfile: dest=/etc/ssh/sshd_config regexp='^AllowUsers' line='AllowUsers myuser' | |
# And some client-side, ssh_config modifications | |
- name: Generic ssh client settings. Includes special settings for Github; it needs diffie-hellman-group-exchange-sha1 some of the time but not always. | |
blockinfile: | |
dest: /etc/ssh/ssh_config | |
block: | | |
Host * | |
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 | |
PasswordAuthentication no | |
ChallengeResponseAuthentication no | |
PubkeyAuthentication yes | |
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa | |
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected] | |
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr | |
UseRoaming no | |
Host github.com | |
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 | |
- debug: | |
msg: "If needed, Generate client keys using the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100" |
Thanks, @cmavr8 I was more wondering how you implement the rules not which rule. You mentioned templates.
@wojciehm ah ok gotcha. Well I haven't updated my playbooks lately, and I cannot publish them as is right now.
So you'd have to look into Ansible templating or search through Galaxy to find someone else's solution you can re-use. Github seems to have a few too, but none references Mozilla's guidelines directly.
Sorry I can't be of more help! :/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey @wojciehm, for private use, I'd just use https://infosec.mozilla.org/guidelines/openssh nowadays.