Comments (6)
just submittet a PR to our baseline (dev-sec/ssh-baseline#177)
I will close this now, since all issues are resolved.
from ansible-ssh-hardening.
Thanks for this, I did not know that this exists.
More information: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
We'll have to decide what to support and use.
from ansible-ssh-hardening.
While not a bug, it would seem that the client configurations also don't disallow host key types for use. I'm not sure how to best accomplish this but it would be nice if we could also figure out how to enforce SSH client configuration for allowed HostKeyTypes.
'HostKeyAlgorithms' can (should 🤔 ) be defined to also limit client Host Key Types.
HostKeyAlgorithms -ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,[email protected]
from ansible-ssh-hardening.
The openssh-server side of this issue is fixed by #309.
This only leaves the client side issue remaining.
from ansible-ssh-hardening.
the crypto policy for ssh client is activated by an include /etc/ssh/ssh_config.d/05-redhat.conf
since our config does not have this include the client part should also be solved. Will check this in a moment.
from ansible-ssh-hardening.
This is possible to check via ssh -G localhost |grep ciphers
. We will add some tests for this to our baseline. So basically this is solved now, just waiting for the PR in ssh-baseline and then we should be safe :)
from ansible-ssh-hardening.
Related Issues (20)
- Possibility to use other value than yes/no for AllowTCPforwarding HOT 1
- Simplify crypto.yml checks with blocks HOT 1
- Cannot install policycoreutils-python on Fedora 31 HOT 2
- Add RHEL 8 Support HOT 5
- HostKey comment "# Req 20" breaks key based auth
- Remove dependency on bash HOT 2
- Disable Ubuntu dynamic login MOTD HOT 3
- New Relese? HOT 2
- Ubuntu disable dynamic MOTD failing HOT 4
- ssh_exchange_identification: read: Connection reset by peer HOT 10
- AllowTCPForwarding set to `no` although I have `ssh_allow_tcp_forwarding: yes` HOT 4
- Add support for X11 configuration HOT 1
- Idempotency when changing sshd ports HOT 9
- Task create sshd_config and set permissions fails HOT 1
- Typo in hardening.yml HOT 1
- CBC Ciphers should be disabled by default. HOT 5
- network_ipv6_enable: true not working HOT 9
- Make SSH banner path configurable HOT 3
- MOTD Enabled prints MOTD twice on Ubuntu HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-ssh-hardening.