sshd_hardening role cannot be used to build system images

[mbenabda]

Description

Hi there, thank you for your extensive work on this collection !

I am building a system image that will be written to multiple devices produced on an assembly line, and that will perform some of the configuration at runtime once deployed (à la cloud-init)

however, i am facing a slight hickup when using the ssh_hardening role of this collection: it requires host key files, that i assume should be generated independently on each instance on its first boot, and therefore can't exist at "build" time.

i'm using a debian base.

Reproduction steps

image_rootfs=$(mktemp -d)

pushd $(mktemp -d)

# get a base rootfs
docker export $(docker create python) --output="rootfs.tar"
tar -xvf rootfs.tar -C "${image_rootfs}"
rm rootfs.tar

# write the inventory file
cat <<EOF >> inventory
[chroots]
${image_rootfs} ansible_connection=chroot
EOF

# write the playbook
cat <<EOF >> playbook.yaml
- hosts: chroots
  roles:
  - devsec.hardening.ssh_hardening
EOF

ansible-galaxy collection install "devsec.hardening:==8.8.0"

sudo ansible-playbook -i inventory -D playbook.yaml

Current Behavior

Does the following without a way to opt-out

• generates a 4096 bits rsa keypair
• requires the presence of /etc/ssh/ssh_host_*_key files

Here are relevant logs of the playbook run:

TASK [devsec.hardening.ssh_hardening : Replace default 2048 bits RSA keypair] ******************************************************************************************************************************
--- before
+++ after
@@ -1 +1,8 @@
-{}
+{
+    "comment": "",
+    "fingerprint": "SHA256:Y5BW1zOM2BzzS4LgA6pQQKRXNTVU2jgTgRvYVwLZVcQ",
+    "format": "",
+    "public_key": "AAAAB3NzaC1yc2EAAAADAQABAAACAQCw4FqV1Nc9DkAH1OtRN2SLKiyOdAvo0bYyinO7fMhlnjsLubIHp4BMdCbQYMsoEqQB9KVL37to+YYNg3VK5q5llaDpOUU1gVoE0yUkZp622gKsaKqgeP2bJjp8ldOgjY8EI684reiPfp9C/9P2WFTJ89SajUPzuc4QYidQfh5DqRXxeUz0Zs5KjQn0UZAASPMIcGkfE9tkxjLwjxwDKc0la5OOPCTErUAQ3jMmWKmqx9HIJgEKqO4c+9j994hi5DhV9JXvTG2frBEbcO3Sq2xxFuPvftZVzm+2ywX3tkVCVb2pU8FwU1+Aw5R92tS6u4M997PRmki2NFtqm/qB8GVi6JtpLihOTWH0E3Ql6XggJ1SxVOHw4mVcF0qZ8/++2Tr0C4Oke2sbNVu7xPcqDPIq/gxurb5C9zXg2d1rJ9JWoSZ7CeR2cn1EaBOLztcyEm7EIRw877WAytaOec6mLa4YIFrnbBfHovfZH+BPn/u5T+ozv4DBm7nb52/gr5XbPt2i/O/2eniPEo+75V/KB51TM/jNBcPd4/lvip8V/LBtwVEqIT57DMSoKcfAzxR7hFoMTDTbW2koPyzXJQ7CByHP1zX6u5fLxoDJc/bkKJxqNkkFjblBov0rfM5tPW+q9DENpuM/IWncIicwNNAf2u5+lbJgCD2/6NqjwItmdtImrw==",
+    "size": 4096,
+    "type": "rsa"
+}

changed: [/tmp/tmp.8NkFijFLBN]

TASK [devsec.hardening.ssh_hardening : Change host private key ownership, group and permissions] ***********************************************************************************************************
ok: [/tmp/tmp.8NkFijFLBN] => (item=/etc/ssh/ssh_host_rsa_key)
failed: [/tmp/tmp.8NkFijFLBN] (item=/etc/ssh/ssh_host_ecdsa_key) => {"ansible_loop_var": "item", "changed": false, "item": "/etc/ssh/ssh_host_ecdsa_key", "msg": "file (/etc/ssh/ssh_host_ecdsa_key) is absent, cannot continue", "path": "/etc/ssh/ssh_host_ecdsa_key", "state": "absent"}
failed: [/tmp/tmp.8NkFijFLBN] (item=/etc/ssh/ssh_host_ed25519_key) => {"ansible_loop_var": "item", "changed": false, "item": "/etc/ssh/ssh_host_ed25519_key", "msg": "file (/etc/ssh/ssh_host_ed25519_key) is absent, cannot continue", "path": "/etc/ssh/ssh_host_ed25519_key", "state": "absent"}

PLAY RECAP *************************************************************************************************************************************************************************************************
/tmp/tmp.8NkFijFLBN        : ok=11   changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Expected Behavior

the role provides a way to opt out from these validations

OS / Environment

Ansible Version

ansible [core 2.15.4]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/mbenabda/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/mbenabda/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/mbenabda/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Collection Version

8.8.0

Additional information

Please let me know if I missed something
Thank you !

[rndmh3ro]

The hostkeys get created/installed when you install the openssh-server package on debian, which is not installed in the image you used in the example (python).

Do you plan on using the ssh-server on your appliances? If yes, I propose to install the package before running the hardening role.

You could also define the host key list manually:

- hosts: chroots
  roles:
  - devsec.hardening.ssh_hardening
  vars:
    ssh_host_key_files:
      - /etc/ssh/ssh_host_rsa_key

Then the task would not fail since this file is existing. However the following tasks would fail since they assume that openssh-server is installed.

To only run the hardening for the clients, you can skip the server hardening part.

- hosts: chroots
  roles:
  - devsec.hardening.ssh_hardening
  vars:
    ssh_server_hardening: false

Hope this helps!