Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/elnappo/ansible-role-secure-openssh-server
Set up a secure config for OpenSSH Server >= 6.5
https://github.com/elnappo/ansible-role-secure-openssh-server
ansible ansible-role openssh-server
Last synced: about 1 month ago
JSON representation
Set up a secure config for OpenSSH Server >= 6.5
- Host: GitHub
- URL: https://github.com/elnappo/ansible-role-secure-openssh-server
- Owner: elnappo
- Created: 2015-01-10T14:47:26.000Z (almost 10 years ago)
- Default Branch: master
- Last Pushed: 2019-12-10T13:56:02.000Z (almost 5 years ago)
- Last Synced: 2024-10-03T17:23:41.395Z (about 1 month ago)
- Topics: ansible, ansible-role, openssh-server
- Language: Python
- Homepage:
- Size: 24.4 KB
- Stars: 6
- Watchers: 3
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# ansible-role-secure-openssh-server
[](https://travis-ci.org/elnappo/ansible-role-secure-openssh-server) [](https://galaxy.ansible.com/elnappo/secure-openssh-server/)
Set up a secure config for OpenSSH Server >= 6.5. This playbook extends your sshd config file instead of replacing it.
* Disable SSH version 1
* Disable RSAAuthentication (only available in version 1)
* Don't allow empty passwords
* Allow root login only without password
* Use StrictModes
* Allow only KexAlgorithms, Ciphers and MACs which where recommended by [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
* Removes DSA and ECDSA host keys by default. Change `ssh_remove_deprecated_server_keys` if this is not what you want
* Regenerates RSA host key if shorter than 4096 bits (default)
* Disable password login by default which also sets `MaxAuthTries 1` and `LoginGraceTime 30`
shields.io
#### Recommended `~/.ssh/config`, `/etc/ssh/ssh_config`
```
Host *
HashKnownHosts yes
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
```
alias for legacy connections: `alias ssh_ignore="ssh -F /dev/null"`
## Inspired by
* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
* [Mozilla Wiki - Security/Guidelines/OpenSSH](https://wiki.mozilla.org/Security/Guidelines/OpenSSH)
* [BetterCrypto](https://github.com/BetterCrypto/Applied-Crypto-Hardening)
* [Manpage sshd_config](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5)
## Requirements
* Ubuntu or Debian
* OpenSSH Server >= 6.5 (which is in Ubuntu >= 14.04 and Debian >= 8)
## Role Variables
* `ssh_sshd_config_dir: /etc/ssh/`
* `ssh_sshd_config_path: "{{ ssh_sshd_config_dir }}sshd_config"`
* `ssh_permit_root_login: "without-password"` quotes are mandatory!
* `ssh_disable_password_login: true`
* `ssh_remove_deprecated_server_keys: true` disables DSA, ECDSA and regenerate RSA key if <`ssh_host_rsa_key_length`
* `ssh_host_rsa_key_length: 4096`
* `ssh_setup_ufw: true`
* `ssh_port: 22`
## Dependencies
None.
## Example Playbook
```yaml
- hosts: server
remote_user: root
vars:
- ssh_remove_deprecated_server_keys: false
- ssh_port: 1813
roles:
- { role: elnappo.secure_openssh_server }
```
## License
MIT
## Author Information
elnappo