From 9382f4285bf7121711ecba6b9c9b4882f9ceef3e Mon Sep 17 00:00:00 2001 From: Alex Waite Date: Sat, 20 Jun 2020 12:57:59 +0200 Subject: [PATCH 1/3] add var sshd_path, for OSs with alternate sshd locations Signed-off-by: Alex Waite --- tasks/hardening.yml | 2 +- vars/Archlinux.yml | 2 ++ vars/Debian.yml | 1 + vars/Fedora.yml | 1 + vars/FreeBSD.yml | 1 + vars/OpenBSD.yml | 1 + vars/Oracle Linux.yml | 1 + vars/RedHat.yml | 1 + vars/RedHat_8.yml | 1 + 9 files changed, 10 insertions(+), 1 deletion(-) diff --git a/tasks/hardening.yml b/tasks/hardening.yml index 692b779b3..eb682c115 100644 --- a/tasks/hardening.yml +++ b/tasks/hardening.yml @@ -50,7 +50,7 @@ mode: '0600' owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' - validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s' + validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s' notify: restart sshd when: ssh_server_hardening | bool diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index 42c8bb010..32eb9b697 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -1,3 +1,5 @@ +--- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/Debian.yml b/vars/Debian.yml index 1ff248243..e62ec2460 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: ssh ssh_owner: root ssh_group: root diff --git a/vars/Fedora.yml b/vars/Fedora.yml index c1246cf73..18d7e5f7a 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index ff092b475..09d48b053 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml index cb2a02281..43af7e96d 100644 --- a/vars/OpenBSD.yml +++ b/vars/OpenBSD.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 6abeccac1..40f00b533 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 6abeccac1..40f00b533 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index c1246cf73..18d7e5f7a 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -1,4 +1,5 @@ --- +sshd_path: /usr/sbin/sshd sshd_service_name: sshd ssh_owner: root ssh_group: root From 325a6073b6a58032d7d18d04fa1a91ab2d2b66fe Mon Sep 17 00:00:00 2001 From: Alex Waite Date: Sat, 20 Jun 2020 12:59:50 +0200 Subject: [PATCH 2/3] add SmartOS support Signed-off-by: Alex Waite --- meta/main.yml | 1 + vars/SmartOS.yml | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 vars/SmartOS.yml diff --git a/meta/main.yml b/meta/main.yml index b88dbd4b2..9b997db3b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -22,6 +22,7 @@ galaxy_info: - name: Amazon - name: Fedora - name: Archlinux + - name: SmartOS galaxy_tags: - system - security diff --git a/vars/SmartOS.yml b/vars/SmartOS.yml new file mode 100644 index 000000000..c76324abc --- /dev/null +++ b/vars/SmartOS.yml @@ -0,0 +1,7 @@ +--- +sshd_path: /usr/lib/ssh/sshd +sshd_service_name: ssh +ssh_owner: root +ssh_group: root + +ssh_pam_support: false From 855f8a93e44062e3d23c1414d0a3a05cfad12a2b Mon Sep 17 00:00:00 2001 From: Alex Waite Date: Sat, 20 Jun 2020 13:00:34 +0200 Subject: [PATCH 3/3] add var ssh_host_keys_dir, for OSes with alternate host key locations Signed-off-by: Alex Waite --- tasks/crypto_hostkeys.yml | 12 +++++++++--- vars/Archlinux.yml | 1 + vars/Debian.yml | 1 + vars/Fedora.yml | 1 + vars/FreeBSD.yml | 1 + vars/OpenBSD.yml | 1 + vars/Oracle Linux.yml | 1 + vars/RedHat.yml | 1 + vars/RedHat_8.yml | 1 + vars/SmartOS.yml | 1 + 10 files changed, 18 insertions(+), 3 deletions(-) diff --git a/tasks/crypto_hostkeys.yml b/tasks/crypto_hostkeys.yml index c47a57e81..76ff7ad50 100644 --- a/tasks/crypto_hostkeys.yml +++ b/tasks/crypto_hostkeys.yml @@ -1,15 +1,21 @@ --- - name: set hostkeys according to openssh-version if openssh >= 5.3 set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key'] + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" when: sshd_version is version('5.3', '>=') - name: set hostkeys according to openssh-version if openssh >= 6.0 set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key'] + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" when: sshd_version is version('6.0', '>=') - name: set hostkeys according to openssh-version if openssh >= 6.3 set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key" when: sshd_version is version('6.3', '>=') diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index 32eb9b697..5de26a259 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/Debian.yml b/vars/Debian.yml index e62ec2460..062c2049e 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: ssh ssh_owner: root ssh_group: root diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 18d7e5f7a..76558666c 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index 09d48b053..4a69f2415 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml index 43af7e96d..546ce7742 100644 --- a/vars/OpenBSD.yml +++ b/vars/OpenBSD.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 40f00b533..36f0ee0d1 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 40f00b533..36f0ee0d1 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index 18d7e5f7a..76558666c 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/vars/SmartOS.yml b/vars/SmartOS.yml index c76324abc..ef38877a0 100644 --- a/vars/SmartOS.yml +++ b/vars/SmartOS.yml @@ -1,5 +1,6 @@ --- sshd_path: /usr/lib/ssh/sshd +ssh_host_keys_dir: '/var/ssh' sshd_service_name: ssh ssh_owner: root ssh_group: root