This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.
ssh-hardening (Ansible Role)
Attention: This role has been migrated to our hardening-collection:
- https://github.com/dev-sec/ansible-os-hardening/
- https://galaxy.ansible.com/devsec/hardening
Requirements
- Ansible > 2.5
Role Variables
networkipv6enable
sshlistento must also be set to listen to IPv6 addresses (for example [::]).
sshserverports
sshclientport
sshlistento
sshhostkey_files
sshhostkey_algorithms
sshclientalive_interval
sshclientalive_count
sshpermittunnel
sshremotehosts
defaults/main.yml.
sshpermitroot_login
without-password or yes to enable root-login
sshallowtcp_forwarding
'no' to disable TCP Forwarding. Set to 'yes' to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify 'yes', 'no', 'all' or 'local'. Note*: values passed to this variable must be strings, thus values
'yes' and 'no' should be passed with quotes.
sshgatewayports
false
* Description: false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. Set to clientspecified to allow the client to specify which address to bind to.
sshallowagent_forwarding
sshx11forwarding
sshpamsupport
sshusepam
sshgssapisupport
sshkerberossupport
sshdenyusers
sshallowusers
sshdenygroups
sshallowgroups
sshauthorizedkeys_file
sshtrustedusercakeys_file
sshtrustedusercakeys
sshtrustedusercakeys_file is set.
sshauthorizedprincipals_file
sshtrustedusercakeys_file is set.
sshauthorizedprincipals
defaultcustom.yml for all options. Only used if sshauthorizedprincipalsfile is set.
sshprintmotd
sshprintpam_motd
sshprintlast_log
sftp_enabled
sftp_umask
sftp_chroot
sftpchrootdir
sshclientroaming
sshdmodulifile
sshdmoduliminimum
ssh_challengeresponseauthentication
sshclientpassword_login
true to allow password-based authentication with the ssh client
sshserverpassword_login
true to allow password-based authentication with the ssh server
ssh_banner
false
* Description: true to print a banner on login
sshbannerpath
sshclienthardening
true
* Description: false to stop harden the client
sshclientport
'22'
* Description: Specifies the port number to connect on the remote host.
sshclientcompression
false
* Description: Specifies whether the client requests compression.
ssh_compression
false
* Description: Specifies whether server-side compression is enabled after the user has authenticated successfully.
sshlogingrace_time
30s
* Description: specifies the time allowed for successful authentication to the SSH server
sshmaxauth_retries
2
* Description: Specifies the maximum number of authentication attempts permitted per connection.
sshmaxsessions
10
* Description: Specifies the maximum number of open sessions permitted from a given connection.
sshprintdebian_banner
false
* Description: true to print debian specific banner
sshserverenabled
true
* Description: false to disable the opensshd server
sshserverhardening
true
* Description: false to stop harden the server
sshservermatch_address
sshservermatch_group
sshservermatch_user
sshservermatchlocalport
sshserverpermitenvironmentvars
no
* Description: yes to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings
sshserveracceptenvvars
sshusedns
false
* Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
sshserverrevoked_keys
sshmaxstartups
ssh_macs
defaults/main.yml
ssh_kex
defaults/main.yml
ssh_ciphers
defaults/main.yml
sshcustomoptions
sshdcustomoptions
sshdsyslogfacility
sshdloglevel
sshdstrictmodes
sshd_authenticationmethods
publickey
* Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in defaults/main.yml
Configuring settings not listed in role-variables
If you want to configure ssh options that are not listed above, you can use sshcustomoptions (for /etc/ssh/sshconfig) or sshdcustomoptions (for /etc/ssh/sshdconfig) to set them. These options will be set on the beginning of the file so you can override options further down in the file.
Example playbook:
- hosts: localhost
roles:
- dev-sec.ssh-hardening
vars:
sshcustomoptions:
- "Include /etc/ssh/ssh_config.d/*"
sshdcustomoptions:
- "AcceptEnv LANG"
Changing the default port and idempotency
This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default ssh port is changed via sshserverports, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port.
If idempotency is important, please consider using role ssh-hardening-fallback, which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
Example Playbook
- hosts: localhost roles: - dev-sec.ssh-hardening
Local Testing
The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See Get started for a Docker package suitable to for your system.
You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.
Next install test-kitchen:
# Install dependencies
gem install bundler
bundle install
Testing with Docker
# fast test on one machine
bundle exec kitchen test ssh-ubuntu1804-ansible-latest
test on all machines
bundle exec kitchen test
for development
bundle exec kitchen create ssh-ubuntu1804-ansible-latest
bundle exec kitchen converge ssh-ubuntu1804-ansible-latest
bundle exec kitchen verify ssh-ubuntu1804-ansible-latest
cleanup
bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest
Testing with Virtualbox
# fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804
test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804
For more information see test-kitchen
FAQ / Pitfalls
I can't log into my account. I have registered the client key, but it still doesn't let me it.
If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:
sudo grep myuser /etc/shadow
If the hash includes an !, your account is locked:
myuser:!:16280:7:60:7:::
The proper way to solve this is to unlock the account (passwd -u myuser). If the user doesn't have a password, you should can unlock it via:
usermod -p "*" myuser
Alternatively, if you intend to use PAM, you enabled it via sshusepam: true. PAM will allow locked users to get in with keys.
Why doesn't my application connect via SSH anymore?
Always look into log files first and if possible look at the negotiation between client and server that is completed when connecting.
We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
After using the role Ansibles template/copy/file module does not work anymore!
This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set scpifssh = True in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting sftp_enabled to true.
Cannot restart sshd-service due to lack of privileges
If you get the following error when running handler "restart sshd"
Unable to restart service ssh: Failed to restart ssh.service: Access denied or failure 1 running systemctl show for 'ssh': Failed to connect to bus: No such file or directory either run the playbook as root (without become: yes at the playbook level), or add become: yes to the handler.
This is a bug with Ansible: see here and here for more information.
Contributing
License and Author
- Author:: Sebastian Gumprich
- Author:: Christoph Hartmann
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
[1]: http://travis-ci.org/dev-sec/ansible-ssh-hardening [2]: https://gitter.im/dev-sec/general [3]: https://galaxy.ansible.com/dev-sec/ssh-hardening/