dev-sec / ansible-ssh-hardening Goto Github PK
View Code? Open in Web Editor NEWThis Ansible role provides numerous security-related ssh configurations, providing all-round base protection.
Home Page: http://dev-sec.io/
This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.
Home Page: http://dev-sec.io/
I tried to find info about the selinux module ssh_password
(https://www.google.com/search?q="ssh_password"+selinux) and I didn't find anything unrelated to this ansible role, so I'm assuming is a custom module and the definition of it is the file: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/files/ssh_password
What I don't understand is that in the role, the first mention to it is to check if it's installed. But there isn't any task to install previous to that, and also this role doesn't have any other role as a dependency.
So what I'm trying to understand is if this is an error and there should be a task installing the module first or I'm missing something.
There are new baseline-tests here that have to be included in travis!
From the sshd_config
file on a CentOS 7 box:
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
As such, it's probably a good idea to default ssh_use_pam
to true
on RedHat 7.
This warning isn't in the CentOS 6 sshd_config
file, but there is an article in the Red Hat 6 knowledgebase about not being able to SSH into a system if UsePAM is off and SELinux is on. I don't have an account and can't see the solution, though, so there might be a way to deal with that.
See also dev-sec/puppet-ssh-hardening#53 and dev-sec/chef-ssh-hardening#96.
Distributor ID: Debian
Description: Debian GNU/Linux 8.7 (jessie)
Release: 8.7
Codename: jessie
I get the following error at running this role:
[...] line 56: Bad SSH2 mac spec '[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Any hint on this?
thanks
Hey guys, I've just run this issue with a very basic configuration and found duplicates in /etc/ssh/sshd_config
afterwards. The relevant details:
$ lsb_release -id
Distributor ID: Debian
Description: Debian GNU/Linux 8.8 (jessie)
- name: Configure sshd and restart
hosts: web
user: bob
become: yes
roles:
- role: dev-sec.ssh-hardening
ssh_port: 22
ssh_use_pam: true
sftp_enabled: true
network_ipv6_enable: false
sudo egrep -v '^(#|$)' /etc/ssh/sshd_config | sort | uniq -d
AllowAgentForwarding no
AllowTcpForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no
As I intend to use sftp early in the process, I've commented the duplicate parameters outside of the if sftp_enabled
block.
egrep '(AllowAgentForwarding|AllowTcpForwarding|PasswordAuthentication|PermitRootLogin|X11Forwarding)' templates/opensshd.conf.j2
#PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
#PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
#AllowTcpForwarding {{ 'yes' if ssh_allow_tcp_forwarding else 'no' }}
#AllowAgentForwarding {{ 'yes' if ssh_allow_agent_forwarding else 'no' }}
#X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no
This is gross but it does eliminate the duplicates:
The ansible run output with -v has been included: ansible-sshd.txt
As always, I reserve the right to be completely in the wrong :-)
Please let me know if I've duffed it.
ssh_ports: ['22']
in the main README did not work to change the SSH port from the default 22 for me. In the end I followed the trail backwards and ended up at ssh_server_ports: ['1234']
variable.
Is this a mistake? ssh_ports
vs ssh_server_ports
and ssh_client_ports
? I couldn't find anywhere that combined the two?
TASK [dev-sec.ssh-hardening : create sshd_config and set permissions to root/600] ************
task path: /home/snoopy/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml:25
fatal: [woodstock]: FAILED! => {
"changed": false,
"msg": "AnsibleError: Unexpected templating type error occurred on (
...
Content of templates/opensshd.conf.j2
...
): 'int' object is not iterable"
}
Copy module works.
I tried to apply the role to a server and after successful applying, I can't connect to a server by SSH. I read the FAQ and tried to change different settings, but it doesn't help. Server using Ubuntu 16.04.
SSH client log:
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /xxx/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /xxx/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1
debug1: match: OpenSSH_6.6.1p1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to x.x.x.x:22 as 'artem'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TY3W4ZY8ysTNV33FH5gnJUQuNWjJ2zdc0M3nMo2rHbI
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /xxx/.ssh/known_hosts:32
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /xxx/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /xxx/.ssh/id_dsa
debug1: Trying private key: /xxx/.ssh/id_ecdsa
debug1: Trying private key: /xxx/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
Curious whether there's any interest in supporting coreos?
The variable ssh_server_weak_kex is not used any where and has no affect on this role
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Hello,
When running this role on a CentOS 7 I get the following errors:
TASK [dev-sec.ssh-hardening : check and compile policy] ************************
fatal: [192.168.77.10]: FAILED! => {"changed": true, "cmd": "checkmodule -M -m -o /etc/selinux/local-policies/ssh_password.mod /etc/selinux/local-policies/ssh_password", "delta": "0:00:00.002428", "end": "2016-10-10 11:48:41.962335", "failed": true, "rc": 127, "start": "2016-10-10 11:48:41.959907", "stderr": "/bin/sh: checkmodule: command not found", "stdout": "", "stdout_lines": [], "warnings": []}
Then I've installed the checkpolicy package and had this error:
TASK [dev-sec.ssh-hardening : create selinux policy module package] ************
fatal: [192.168.77.10]: FAILED! => {"changed": true, "cmd": "semodule_package -o /etc/selinux/local-policies/ssh_password.pp -m /etc/selinux/local-policies/ssh_password.mod", "delta": "0:00:00.002294", "end": "2016-10-10 11:50:04.572800", "failed": true, "rc": 127, "start": "2016-10-10 11:50:04.570506", "stderr": "/bin/sh: semodule_package: command not found", "stdout": "", "stdout_lines": [], "warnings": []}
Resolved by installing policycoreutils-python package.
Then the role applied correctly.
Should the ansible role manage its dependencies?
Romain
Perhaps I'm missing something obvious, but I'm unable to run the inspec test suites locally with virtualbox hosts. Creating and converging is fine, but the inspec tests are skipped altogether:
undle exec kitchen verify debian-8
-----> Starting Kitchen (v1.5.0)
-----> Verifying <ansible-19-debian-8>...
Finished in 0.00025 seconds (files took 0.95551 seconds to load)
0 examples, 0 failures
Finished verifying <ansible-19-debian-8> (0m0.80s).
-----> Verifying <ansible-latest-debian-8>...
Finished in 0.00019 seconds (files took 1.51 seconds to load)
0 examples, 0 failures
Finished verifying <ansible-latest-debian-8> (0m0.55s).
-----> Kitchen is finished. (0m1.75s)
zlib(finalizer): the stream was freed prematurely.
zlib(finalizer): the stream was freed prematurely.
This is likely a regression introduced by #56, since the integration suites are no longer called "default". Changing the test dir seems to fix it:
bundle exec kitchen verify ansible-latest-debian-8
-----> Starting Kitchen (v1.5.0)
-----> Verifying <ansible-latest-debian-8>...
.................FFF..........FFF..............................................................
Possible solutions are renaming the inspec test directory, which I don't like, or adding a verifier
parameter to the suite blocks to point to the appropriate tests (since the tests are shared across all versions of ansible).
It would be great if this role took in a list variable containing host keys and constructed the /etc/ssh/known_hosts file. The GlobalKnownHostsFile configuration parameter would also need to be set in ssh_config.
Thank you for an awesome tool!
Problem: this module stops one new user from logging in, but not the default ubuntu
vagrant user.
I've set up the user/playbook like so:
- role: dev-sec.os-hardening
#- role: dev-sec.ssh-hardening
# sftp_enabled: true
- role: sansible.users_and_groups
users_and_groups:
authorized_keys_dir: /etc/ssh/authorized_keys
groups:
- name: sftp-only
users:
- name: myuser
groups:
- sftp-only
home: /home/myuser
ssh_key: ./myuser.pub
If I comment in this module in the above playbook, I get this error in /var/log/auth.log
:
May 23 18:05:21 ubuntu-xenial sshd[26236]: Connection from 10.0.2.2 port 59156 on 10.0.2.15 port 22
May 23 18:05:21 ubuntu-xenial sshd[26236]: User myuser not allowed because account is locked
May 23 18:05:21 ubuntu-xenial sshd[26236]: input_userauth_request: invalid user myuser [preauth]
May 23 18:05:21 ubuntu-xenial sshd[26236]: error: maximum authentication attempts exceeded for invalid user myuser from 10.0.2.2 port 59156 ssh2 [preauth]
May 23 18:05:21 ubuntu-xenial sshd[26236]: Disconnecting: Too many authentication failures [preauth]
May 23 18:05:31 ubuntu-xenial su[22231]: pam_unix(su:session): session closed for user myuser
It's running on xenial64, the 16.04 LTS of Ubuntu.
Provisioning the node without this module makes it possible access both SSH and SFTP with the newly created user.
On CentOS 7 the option UseLogin no
produces the following depecation warning on each ssh login:
rexec line 69: Deprecated option UseLogin
Hello,
It's not a major problem but it's usefull to really know what is changed when we execute a playbook and those task always return a 'changed' state:
TASK [dev-sec.ssh-hardening : check and compile policy] ************************
changed: [server]
TASK [dev-sec.ssh-hardening : create selinux policy module package] ************
changed: [server]
TASK [dev-sec.ssh-hardening : install selinux policy] **************************
changed: [server]
It would be nice if they weren't executed if don't needed or don't produce a changed state if not necessary.
Romain
Thanks for your great work!
I noticed a minor issue in defaults/main.yml:
[WARNING]: While constructing a mapping from /home/me/ansible-priv/provisioning/roles/dev-sec.ssh-hardening/defaults/main.yml, line 2, column 1, found a duplicate dict key (ssh_use_dns). Using last defined value only.
ssh_use_dns is indeed defined on both line 8 and 179 of defaults/main.yml
Too much of a n00b to tell if it makes sense to keep the first or the last one, sorry...
It would be great to made some small changes in the selinux section of this role to avoid confusion, as discussed in this PR: #102
The two changes I think should be made are:
test to see if selinux is installed and running
# only runs when selinux is installed
Besides from that, I found two inconsistencies between what the comment says and the actual code:
first one here: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L86
It says that "only runs when selinux is in state enforcing", but the conditional is sestatus.stdout != 'Disabled'
, so the task could also be executed when selinux is in Permissive mode.
Does the task can be also executed in Permissive mode or is this an error?
and the second one: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L106
It says the same from above: "only runs when selinux is in state enforcing" but there isn't any conditional related to selinux in the when:
at the end, is this an error?
The vars/main.yml
lists all whitelisted ciphers, MACs, and key exchange algorithms for sshd. Although the sshd template does a decent job of inferring appropriate settings from the distro and release version, invariably some administers will want to override these settings in typical Ansible fashion. Doing so is currently impossible.
Therefore I propose:
vars/main.yml
into defaults/main.yml
ssh_
to help prevent accidental clobbering in site-wide configsSince these vars cannot currently be overridden, there is no breaking change in adding the prefix—now's the best time for us to get away with it. Allowing local overrides would be more consistent with Ansible best practices, as well.
I'm happy to write a PR after any discussion here. Being able to override the vars at run time would make it a heck of a lot easier to test improvements for #28, as well—which is really why I bring it up. ;)
The role/playbook executes without any sign of error.
However after the execution the remote system behaves as follows:
I could only make the server respond to anything be rebooting it. However, after a few minutes it is unresponsive again.
At first I thought it was related to the sshd config but now I´m unsure what´s causing these issues. It might even be caused by https://github.com/dev-sec/ansible-os-hardening which was also applied.
Any ideas what is happening in this case?
Do you need any additional information?
Just tested the role on Ubuntu 16.04 and the role works like expected.
Hi there,
first of all thank you very much for your ansible role.
May I suggest splitting the variable ssh_ports into 2 separate variables to distinguish client/server ports individually? In my use case I don't want sshd accessible on port 22, but I don't want to change ssh client-config.
cheers
Sebastian
Hi and thanks for projects.
Running playbook with --check option was failed after update from 3.2 to 4.0 on task "dev-sec.ssh-hardening : set hostkeys according to openssh-version".
Adding "check_mode: no" to this task will fix this issue.
Hello!
First thanks for your great role, which I'm happy to use 😄
I have a setup hardened with this role where I also need to add some form of SFTP access, and I'm confused a bit and unsure if it's supported or not.
In the FAQ, one can read:
This role deactivates SFTP
But at the same time, there is an option to enable SFTP:
sftp_enabled - false - true to enable sftp configuration
Can you clarify if SFTP is supported? (I'd say yes, based on reading the tasks, but I'd rather be sure here).
Thank you!
Hello - I'm seeing the error below and I'm not sure if I'm doing something wrong or if this is a bug. The server is the official Centos7 image on AWS. The error is observed when running ansible-playbook with --check.
Running the following on the server (which appears to be part of the problem) shows no output.
These are the module names I see with the string ssh:
rssh 2.3.0
ssh 2.4.2
Thanks!
Error:
fatal: [server1]: FAILED! => {"failed": true, "msg": "The conditional check 'sestatus.rc == 0 and sestatus.stdout != 'Disabled'' failed. The error was: error while evaluating conditional (sestatus.rc == 0 and sestatus.stdout != 'Disabled'): 'dict object' has no attribute 'rc'\n\nThe error appears to have been in '/Users/user1/RRS GDrive/Projects/corp1/repos/corp1-ansible/roles/hardening.ssh-hardening/tasks/main.yml': line 11, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: check the ssh_password policy state\n ^ here\n"}
Hi ,
First off , thank you for creating this project and making securing the machines that much easier.
I've one issue though. For a single specific machine I'd like to enable normal ssh login for a specific username.
I thought adding that user to the ssh_allow_users
in the defaults would permit it but I'm still seeing the permission denied although I can view the /sshd_config which contains the entry.
I'm just wondering what else is required to be done to enable this behaviour ?
Do you know the Applied-Crypto-Hardening project?
One thing I noticed is that this role actually disables strong cyphers like [email protected] which are available in newer versions.
https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/SSH/OpenSSH
always_run is deprecated. Use check_mode = no instead..
TASK [ansible-ssh-hardening : test to see if selinux is running] ***************
[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..
This feature will be removed in version 2.4. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
If you install with ansible-galaxy:
ansible-galaxy install hardening.ssh-hardening
You will see that the tasks folder for example is missing:
afreitas@artemis:/etc/ansible/roles/hardening.ssh-hardening
> ls -lha
total 88
drwxr-xr-x 15 afreitas wheel 510B Jan 27 12:48 .
drwxrwxrwx 4 root wheel 136B Jan 27 12:48 ..
-rw-rw-r-- 1 afreitas wheel 152B Apr 30 2015 .gitignore
-rw-rw-r-- 1 afreitas wheel 1.3K Apr 30 2015 .kitchen.yml
-rw-rw-r-- 1 afreitas wheel 813B Apr 30 2015 .kitchen_debian.yml
-rw-rw-r-- 1 afreitas wheel 434B Apr 30 2015 .travis.yml
-rw-rw-r-- 1 afreitas wheel 520B Apr 30 2015 CHANGELOG.md
-rw-rw-r-- 1 afreitas wheel 3.8K Apr 30 2015 CONTRIBUTING.md
-rw-rw-r-- 1 afreitas wheel 450B Apr 30 2015 Gemfile
-rw-rw-r-- 1 afreitas wheel 6.9K Apr 30 2015 README.md
-rw-rw-r-- 1 afreitas wheel 194B Apr 30 2015 Thorfile
-rw-rw-r-- 1 afreitas wheel 34B Apr 30 2015 ansible-install.sh
drwxr-xr-x 4 afreitas wheel 136B Jan 27 12:48 meta
drwxr-xr-x 3 afreitas wheel 102B Jan 27 12:48 roles
drwxr-xr-x 3 afreitas wheel 102B Jan 27 12:48 spec
(.env)
Hi,
I need to use your role only on specific environments so I'm using a when instruction in my role statement in my playbook like below to choose whether or not I want to deploy security rules :
roles:
- { role: security, when: deploy_security_rules }
Then in the task file of my "security" role I use the statements below to include your role
- name: OS hardening
include_role:
name: dev-sec.os-hardening
The problem occurs when I don't want to deploy security rules, i.e when deploy_security_rules = false
Here is the output I obtain during failure :
TASK [dev-sec.os-hardening : get all system accounts] **************************
[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..
This feature will be removed in version 2.4. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
skipping: [vagrant-debian8.6] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}
TASK [dev-sec.os-hardening : remove always ignored system accounts from list] **
skipping: [vagrant-debian8.6] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}
TASK [dev-sec.os-hardening : change system accounts not on the user provided ignore-list] ***
fatal: [vagrant-debian8.6]: FAILED! => {"failed": true, "msg": "'sys_accs_cond' is undefined"}
Any idea why the role is failing ?
Hello,
Debian9 (stretch) is disabled on travis check (https://github.com/dev-sec/ansible-ssh-hardening/blob/master/.travis.yml#L41).
Is there any reason to not activate it ?
Thank you.
I receive the following error during test-kitchen run:
kitchen test default-ubuntu-1204
-----> Starting Kitchen (v1.3.1)
-----> Cleaning up any prior instances of <default-ubuntu-1204>
-----> Destroying <default-ubuntu-1204>...
Finished destroying <default-ubuntu-1204> (0m0.00s).
-----> Testing <default-ubuntu-1204>
-----> Creating <default-ubuntu-1204>...
>>>>>> Create failed on instance <default-ubuntu-1204>.
>>>>>> Please see .kitchen/logs/default-ubuntu-1204.log for more details
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Could not find Vagrantfile template /Users/chris/Development/hardening/ansible/ansible-ssh-hardening/Vagrantfile.erb
>>>>>> ----------------------
Running the get openssh-version
task fails on FreeBSD
TASK [dev-sec.ssh-hardening : get openssh-version] ************************************************************************************************************
fatal: [template201709]: FAILED! => {"changed": false, "cmd": "ssh -V 2>&1 | sed -r 's/.*_([0-9]*\\.[0-9]).*/\\1/g'", "delta": "0:00:00.061695", "end": "2017-10-09 08:25:00.292831", "failed": true, "msg": "non-zero return code", "rc": 1, "start": "2017-10-09 08:25:00.231136", "stderr": "Ambiguous output redirect.", "stderr_lines": ["Ambiguous output redirect."], "stdout": "", "stdout_lines": []}
to retry, use: --limit @./template.retry
perhaps only since the upgrade to ansible 2.4.0.0
The problem appears to be, that tcsh
is used as shell.
The Ansible's template module relies on sftp to work. I wanted to suggest to set sftp_enabled: true
as default, but that would go against the point of the playbook.
Maybe add a little warning to the user?
And maybe a way to not depend on the template module if sftp is disabled. This will help if the user decides to re-enable sftp or update the sshd_config
Currently, password based authentication is disabled with no setting to enable it:
https://github.com/dev-sec/ansible-ssh-hardening/blob/master/templates/opensshd.conf.j2#L133-L134
It would be nice if there was a ssh_server_password_login
setting (which could default to false
).
The last task in tasks/main.yml, "remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)" will run on systems with SELinux disabled.
Looks like the when: test only tests the return code of getenforce. Previous tasks in this file test both the getenforce return code and stdout.
I've forked this repo and updated the when: test so that it also tests getenforce output. But I feel like the standard output of getenforce should be deciding factor for whether to run SELinux-specific tasks. If getenforce fails, that's a deeper problem and the whole role should probably fail, too. That would simplify the when: clauses of several other tasks in tasks/main.yml. Thoughts?
sshd[18263]: /etc/ssh/sshd_config line 73: Deprecated option UsePrivilegeSeparation
Sandboxing is now enabled by default in OpenSSH, across all platforms/distros. See the changelog.
Likewise, these two options for the client config are not understood in recent versions of OpenSSH
HostsRSAAuthentication no
RSAAuthentication yes
@chris-rock, @atomic111 @mms-segu you guys still interested in maintaining this stuff? I will join and help out.
we should use a handler for https://github.com/hardening-io/ansible-ssh-hardening/blob/master/roles/ansible-ssh-hardening/tasks/main.yml#L11
More information is available here: http://docs.ansible.com/playbooks_intro.html#handlers-running-operations-on-change
Hello,
When I have ssh_use_pam=true the role fails on:
TASK [dev-sec.ssh-hardening : remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)] ***
fatal: [gitana-ext.magellium.com]: FAILED! => {"changed": true, "cmd": "semodule -r ssh_password", "delta": "0:00:02.809950", "end": "2016-10-10 16:42:34.105591", "failed": true, "rc": 1, "start": "2016-10-10 16:42:31.295641", "stderr": "libsemanage.get_module_file_by_name: Module ssh_password was not found.\nsemodule: Failed on ssh_password!", "stdout": "", "stdout_lines": [], "warnings": []}
(except if I have run the playbook before withe ssh_use_pam=false).
Maybe you could check if the module is installed before trying to remove it?
Thanks.
PS: the 3.1 release is not on ansible galaxy
ansible-ssh-hardening/templates/opensshd.conf.j2
Lines 240 to 247 in f9b0c2e
Lines 241-247 should be indented in order to apply to only the Match Group. Right now they are overriding the global settings higher up in the config file.
According to this thread, compression can be vulnerable to CRIME/BREACH attacks (if the encrypted data carries public data as well).
I am not into crypto but I guess compression should be opt-in, at least, shouldn't it?
Hi
To update ssh/sshd config you need to have root permissions. Previously I was using sudo: true
in my playbook. According to Ansible, it will be removed in 2.6.
DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and
make sure become_method is 'sudo' (default). This feature will be removed in
version 2.6. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
Without sudo
I am getting below error:
TASK [dev-sec.ssh-hardening : create sshd_config and set permissions to root/600] ***
fatal: [gateway]: FAILED! => {"changed": false, "checksum": "60fb9f3fcee48310b83298e657fe10a1c06406f0", "failed": true, "msg": "Destination /etc/ssh not writable"}
I have created a small PR -> #144
TASK [ansible-ssh-hardening : remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)] ***
task path: /home/felis/ansible/roles/ansible-ssh-hardening/tasks/main.yml:50
fatal: [localhost: FAILED! => {"changed": true, "cmd": "semodule -r ssh_password", "delta": "0:00:02.974666", "end": "2016-02-27 13:19:42.302047", "failed": true, "rc": 1, "start": "2016-0
If ssh_use_pam: true, ssh_password selinux policy doesn't get installed. semodule -r ssh_password
will then fail.
ciphers: https://github.com/dev-sec/tests-ssh-hardening/blob/master/libraries/ssh_crypto.rb#L27
kex: https://github.com/dev-sec/tests-ssh-hardening/blob/master/libraries/ssh_crypto.rb#L60
macs: https://github.com/dev-sec/tests-ssh-hardening/blob/master/libraries/ssh_crypto.rb#L96
privilege separation: https://github.com/dev-sec/tests-ssh-hardening/blob/master/libraries/ssh_crypto.rb#L134
The create ssh_config and set permissions to root/644
step is done twice (the second time the ower and group are both hardcoded to root
): https://github.com/dev-sec/ansible-ssh-hardening/blob/00aa9eaa0d7a7956c5cc7924c5815747ddfdd470/tasks/main.yml#L35-L41a
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.