Browse Source

ssh-curve ajout du role ssh-curve + doc

master
victor héry 6 years ago
parent
commit
5e75dee921
9 changed files with 131 additions and 0 deletions
  1. +15
    -0
      README.md
  2. +11
    -0
      roles/ssh-curve/files/ssh_config
  3. +4
    -0
      roles/ssh-curve/handlers/main.yml
  4. +56
    -0
      roles/ssh-curve/tasks/main.yml
  5. +22
    -0
      roles/ssh-curve/templates/sshd_config.j2
  6. +5
    -0
      roles/ssh-curve/vars/Debian.yml
  7. +5
    -0
      roles/ssh-curve/vars/RedHat.yml
  8. +1
    -0
      roles/ssh-curve/vars/Virtuozzo.yml
  9. +12
    -0
      ssh-curve.yml

+ 15
- 0
README.md View File

@ -74,6 +74,14 @@ Yet another ansible's playbook repository
* unbound
* Possibility to deploy unbound as a local resolver, with forwading zone to your local DNS server (ie .lan, .home, ...)
* You need to add unbound variables (see below)
* ssh-curve : based from https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/
* DISCLAIMER : using this role WILL trigger "breaking attempt messages" with SSH as server keys are changed, do not forget to clean your know_hosts file(s)
* needs debian jessie or later, centos 7 or later
* configure ssh to use exclusively actual most secure cipher and algorithms
* allow ssh port, listen address, password authent customization
* generate ed25519 keys for server instead of RSA
* configure ssh client to use strong algorithms
* will create compatibility problem with old ssh versions (openwrt, old putty, debian wheezy)
## example host file
=====
@ -172,4 +180,11 @@ rudder_server: 192.168.0.100
unbound_local_zone: "lan"
unbound_forward_dns: XXX.XXX.XXX.XXX
# ssh-curve
# ssh_port: (default 22)
# ssh_ipv4_listen: (default "0.0.0.0")
# ssh_ipv6_listen: (default "::")
# ssh_authorizedkeysfile: (default ".ssh/authorized_keys")
# ssh_pwd_authent: (default "no")
```

+ 11
- 0
roles/ssh-curve/files/ssh_config View File

@ -0,0 +1,11 @@
Host *
GSSAPIAuthentication no
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs umac-128-etm@openssh.com
UseRoaming no

+ 4
- 0
roles/ssh-curve/handlers/main.yml View File

@ -0,0 +1,4 @@
---
- name: restart ssh
service: name={{ ssh_daemon }} state=restarted

+ 56
- 0
roles/ssh-curve/tasks/main.yml View File

@ -0,0 +1,56 @@
---
# Ce role permet de deployer des fichiers de configurations SSH n'utilisant que des
# algorithmes consideres comme sur, notamment bases sur les courbes elliptiques.
# Adaptation de https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/
# WARN : peut poser des problemes de compatibilites avec les vieux SSH (< 6.7)
- name: Import OS variables
include_vars: "{{ ansible_os_family }}.yml"
tags:
- ssh-curve
- name: upload sshd_config
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
backup: yes
tags:
- ssh-curve
notify: restart ssh
- name: upload ssh_config (for client connexion)
copy:
src: ssh_config
dest: /etc/ssh/ssh_config
backup: yes
tags:
- ssh-curve
notify: restart ssh
- name: remove obsoletes rsa and dsa keys - WARN! This WILL cause BREAKING ATTEMPT messages
file:
path: "{{ item }}"
state: absent
tags:
- ssh-curve
with_items:
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_rsa_key.pub
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_ed25519_key.pub
notify: restart ssh
- name: regenerate sshd ed25519 key to avoid cloudinit identikey problem
command: ssh-keygen -q -N "" -C "" -o -a 1000 -t ed25519 -f "/etc/ssh/ssh_host_ed25519_key"
tags:
- ssh-curve
notify: restart ssh
- name: generate a secure ed25519 key you could ssh-copy to other servers (do not overwrite existing key by default)
command: ssh-keygen -t ed25519 -o -a 1000 -C "" -N "" -q -f "/root/.ssh/id_ed25519"
ignore_errors: yes
tags:
- ssh-curve

+ 22
- 0
roles/ssh-curve/templates/sshd_config.j2 View File

@ -0,0 +1,22 @@
Port {{ ssh_port|default(22) }}
ListenAddress {{ ssh_ipv4_listen|default("0.0.0.0") }}
ListenAddress {{ ssh_ipv6_listen|default("::") }}
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com
MACs umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
AuthorizedKeysFile {{ ssh_authorizedkeysfile|default(".ssh/authorized_keys") }}
UseDNS no
SyslogFacility AUTHPRIV
PasswordAuthentication {{ ssh_pwd_authent|default("no") }}
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
UsePrivilegeSeparation sandbox
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
Subsystem sftp {{ sftp_path }}

+ 5
- 0
roles/ssh-curve/vars/Debian.yml View File

@ -0,0 +1,5 @@
---
##Variables pour Debian OS
sftp_path: "/usr/lib/openssh/sftp-server"
ssh_daemon: "ssh"

+ 5
- 0
roles/ssh-curve/vars/RedHat.yml View File

@ -0,0 +1,5 @@
---
##Variables pour RedHat OS
sftp_path: "/usr/libexec/openssh/sftp-server"
ssh_daemon: "sshd"

+ 1
- 0
roles/ssh-curve/vars/Virtuozzo.yml View File

@ -0,0 +1 @@
RedHat.yml

+ 12
- 0
ssh-curve.yml View File

@ -0,0 +1,12 @@
---
# Playbook permettant de deployer une configuration openssh server basee uniquement sur les algo les plus costauds actuels
- name: Deployer la configuration ssh courbe elliptique
hosts: all
user: root
gather_facts: yes
roles:
- ssh-curve
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

Loading…
Cancel
Save