Comments (5)
schurzi
commented on May 25, 2024
Hi @salderma, thanks for discovering this.
I have run a quick test on CentOS7 and I think the ciphers are set correct. Also in our defaults we already do not include the CBC ciphers, see:
ansible-ssh-hardening/defaults/main.yml
Lines 213 to 224 in 6626617
On my test machine, this evaluates to:
# CBC: is true if you want to connect with OpenSSL-base libraries
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
Maybe there is a problem with the playbook on you test server.
Can you describe which operating system (including version) you are running?
Can you also include the output from an ansible run with this role on the server?
from ansible-ssh-hardening.
salderma
commented on May 25, 2024
It must be a CentOS 8 thing...
Apparently this would resolve - https://access.redhat.com/solutions/4410591
Sorry, I'll close the issue.
from ansible-ssh-hardening.
schurzi
commented on May 25, 2024
oh, don't be sorry! I think you fund something, that we missed.
This is a change worth including in our role, since it affects the security of sshd on CentOS8 and RHEL8.
from ansible-ssh-hardening.
schurzi
commented on May 25, 2024
from ansible-ssh-hardening.
rndmh3ro
commented on May 25, 2024
Fixed by #309
from ansible-ssh-hardening.
Related Issues (20)
- Possibility to use other value than yes/no for AllowTCPforwarding HOT 1
- Simplify crypto.yml checks with blocks HOT 1
- Cannot install policycoreutils-python on Fedora 31 HOT 2
- Add RHEL 8 Support HOT 5
- HostKey comment "# Req 20" breaks key based auth
- Remove dependency on bash HOT 2
- Disable Ubuntu dynamic login MOTD HOT 3
- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh*.config HOT 6
- New Relese? HOT 2
- Ubuntu disable dynamic MOTD failing HOT 4
- ssh_exchange_identification: read: Connection reset by peer HOT 10
- AllowTCPForwarding set to `no` although I have `ssh_allow_tcp_forwarding: yes` HOT 4
- Add support for X11 configuration HOT 1
- Idempotency when changing sshd ports HOT 9
- Task create sshd_config and set permissions fails HOT 1
- Typo in hardening.yml HOT 1
- network_ipv6_enable: true not working HOT 9
- Make SSH banner path configurable HOT 3
- MOTD Enabled prints MOTD twice on Ubuntu HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-ssh-hardening.