diff --git a/meta/main.yml b/meta/main.yml index b88dbd4b2..9b997db3b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -22,6 +22,7 @@ galaxy_info: - name: Amazon - name: Fedora - name: Archlinux + - name: SmartOS galaxy_tags: - system - security diff --git a/tasks/crypto_hostkeys.yml b/tasks/crypto_hostkeys.yml index c47a57e81..76ff7ad50 100644 --- a/tasks/crypto_hostkeys.yml +++ b/tasks/crypto_hostkeys.yml @@ -1,15 +1,21 @@ --- - name: set hostkeys according to openssh-version if openssh >= 5.3 set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key'] + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" when: sshd_version is version('5.3', '>=') - name: set hostkeys according to openssh-version if openssh >= 6.0 set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key'] + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" when: sshd_version is version('6.0', '>=') - name: set hostkeys according to openssh-version if openssh >= 6.3 set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key" when: sshd_version is version('6.3', '>=') diff --git a/tasks/hardening.yml b/tasks/hardening.yml index 692b779b3..eb682c115 100644 --- a/tasks/hardening.yml +++ b/tasks/hardening.yml @@ -50,7 +50,7 @@ mode: '0600' owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' - validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s' + validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s' notify: restart sshd when: ssh_server_hardening | bool diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index 42c8bb010..5de26a259 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/Debian.yml b/vars/Debian.yml index 1ff248243..062c2049e 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: ssh ssh_owner: root ssh_group: root diff --git a/vars/Fedora.yml b/vars/Fedora.yml index c1246cf73..76558666c 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index ff092b475..4a69f2415 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml index cb2a02281..546ce7742 100644 --- a/vars/OpenBSD.yml +++ b/vars/OpenBSD.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 6abeccac1..36f0ee0d1 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 6abeccac1..36f0ee0d1 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index c1246cf73..76558666c 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -1,4 +1,6 @@ --- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/SmartOS.yml b/vars/SmartOS.yml new file mode 100644 index 000000000..ef38877a0 --- /dev/null +++ b/vars/SmartOS.yml @@ -0,0 +1,8 @@ +--- +sshd_path: /usr/lib/ssh/sshd +ssh_host_keys_dir: '/var/ssh' +sshd_service_name: ssh +ssh_owner: root +ssh_group: root + +ssh_pam_support: false