Comments (9)
altf4arnold
commented on May 23, 2024
1
I have the same indentation on my side (I tought while copy pasting on github that the indentation broke so I rebuilt it on here. I'm changing the indentation back to original on the original post right now)
from ansible-ssh-hardening.
altf4arnold
commented on May 23, 2024
1
Small problem small solution... Not changing the code by any mean because it's quite logical to use. Just adding it to the documentation to make it a little bit more clear :-)
from ansible-ssh-hardening.
rndmh3ro
commented on May 23, 2024
Hey @altf4arnold,
I just tested it, works fine for me:
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: localhost
roles:
- ansible-ssh-hardening
vars:
network_ipv6_enable: true
TASK [ansible-ssh-hardening : create sshd_config and set permissions to root/600] **************************************************************************************************************
--- before: /etc/ssh/sshd_config
+++ after: /root/.ansible/tmp/ansible-local-4094ZLPK4d/tmpH_8e_r/opensshd.conf.j2
@@ -16,7 +16,7 @@
Port 22
# Address family should always be limited to the active network configuration.
-AddressFamily inet
+AddressFamily any
Can you please fill out the bug-template (https://github.com/dev-sec/ansible-ssh-hardening/issues/new?template=bug_report.md) so I can investigate further?
from ansible-ssh-hardening.
altf4arnold
commented on May 23, 2024
Sorry for not complying on the bug-template. Here it is completed
The problem is that even when IPv6 is enabled into the playbook, it's still forcing to listen to IPv4 Only with the ListenAddress Option in sshd_config.
What should happen is that if IPv6 is put to true and ListenAddress is set to default, listening to [::] should also be put in the config
That is what currently happen if IPv6 is set to true without the ListenAddress specified.
% ansible-playbook -K ssh.yml
TASK [ssh-hardening : create sshd_config and set permissions to root/600] ****************************************************************************************************************************************************************************************************
changed: [dummy.server.name]
From there I get this into /etc/ssh/sshd_config :
# Address family should always be limited to the active network configuration.
AddressFamily any
# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
ListenAddress 0.0.0.0
My playbook is :
- hosts: all
roles:
- role: ssh-hardening
become: yes
become_user: root
become_method: sudo
network_ipv6_enable: true
ssh_permit_tunnel: true
ssh_print_motd: true
sftp_enabled: true
ssh_banner: true
ssh_use_dns: true
sftp_chroot: false
What I can do to make it work is :
- hosts: all
roles:
- role: ssh-hardening
become: yes
become_user: root
become_method: sudo
network_ipv6_enable: true
ssh_permit_tunnel: true
ssh_print_motd: true
sftp_enabled: true
ssh_banner: true
ssh_use_dns: true
sftp_chroot: false
ssh_listen_to: ['0.0.0.0','::']
I'm running Ansible from mac OS on Debian 10 servers on this version :
ansible 2.9.10
config file = /Users/arnold/VM-Ansible/ansible.cfg
configured module search path = ['/Users/arnold/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/2.9.10/libexec/lib/python3.8/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.8.4 (default, Jul 14 2020, 02:58:48) [Clang 11.0.3 (clang-1103.0.32.62)]
The ssh-hardening module is integrated in my playbook through a git submodule and those tests were made on commit : 2d876f6
from ansible-ssh-hardening.
altf4arnold
commented on May 23, 2024
I just tested with commit 7ea747a . Still getting the same result
from ansible-ssh-hardening.
rndmh3ro
commented on May 23, 2024
The indentation of your playbook is wrong, try this:
- hosts: all
roles:
- role: ansible-ssh-hardening
become: yes
become_user: root
become_method: sudo
network_ipv6_enable: true
ssh_permit_tunnel: true
ssh_print_motd: true
sftp_enabled: true
ssh_banner: true
ssh_use_dns: true
sftp_chroot: false
from ansible-ssh-hardening.
altf4arnold
commented on May 23, 2024
Updated
from ansible-ssh-hardening.
rndmh3ro
commented on May 23, 2024
Sorry! I misunderstood your original issue.
The problem as you said is ListenAddress set to 0.0.0.0 by default, even though ipv6 should be enabled.
The correct workaround you're using is to set ssh_listen_to: ['0.0.0.0','::'].
Right now the logic is rather simple for this:
# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
{% for address in ssh_listen_to %}
ListenAddress {{ address }}
{% endfor %}
We could probably change this somehow so it works out-of-the-box for you. However I don't have an idea right now, how to make it simple enough.
from ansible-ssh-hardening.
rndmh3ro
commented on May 23, 2024
Thanks for this good solution. Glad you found the issue.
from ansible-ssh-hardening.
Related Issues (20)
- Possibility to use other value than yes/no for AllowTCPforwarding HOT 1
- Simplify crypto.yml checks with blocks HOT 1
- Cannot install policycoreutils-python on Fedora 31 HOT 2
- Add RHEL 8 Support HOT 5
- HostKey comment "# Req 20" breaks key based auth
- Remove dependency on bash HOT 2
- Disable Ubuntu dynamic login MOTD HOT 3
- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh*.config HOT 6
- New Relese? HOT 2
- Ubuntu disable dynamic MOTD failing HOT 4
- ssh_exchange_identification: read: Connection reset by peer HOT 10
- AllowTCPForwarding set to `no` although I have `ssh_allow_tcp_forwarding: yes` HOT 4
- Add support for X11 configuration HOT 1
- Idempotency when changing sshd ports HOT 9
- Task create sshd_config and set permissions fails HOT 1
- Typo in hardening.yml HOT 1
- CBC Ciphers should be disabled by default. HOT 5
- Make SSH banner path configurable HOT 3
- MOTD Enabled prints MOTD twice on Ubuntu HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-ssh-hardening.