From 5e75dee9218e7b1689efc08ee2b66ee328b72e29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?victor=20h=C3=A9ry?= Date: Wed, 14 Feb 2018 09:38:41 +0100 Subject: [PATCH] ssh-curve ajout du role ssh-curve + doc --- README.md | 15 +++++++ roles/ssh-curve/files/ssh_config | 11 +++++ roles/ssh-curve/handlers/main.yml | 4 ++ roles/ssh-curve/tasks/main.yml | 56 ++++++++++++++++++++++++ roles/ssh-curve/templates/sshd_config.j2 | 22 ++++++++++ roles/ssh-curve/vars/Debian.yml | 5 +++ roles/ssh-curve/vars/RedHat.yml | 5 +++ roles/ssh-curve/vars/Virtuozzo.yml | 1 + ssh-curve.yml | 12 +++++ 9 files changed, 131 insertions(+) create mode 100644 roles/ssh-curve/files/ssh_config create mode 100644 roles/ssh-curve/handlers/main.yml create mode 100644 roles/ssh-curve/tasks/main.yml create mode 100644 roles/ssh-curve/templates/sshd_config.j2 create mode 100644 roles/ssh-curve/vars/Debian.yml create mode 100644 roles/ssh-curve/vars/RedHat.yml create mode 120000 roles/ssh-curve/vars/Virtuozzo.yml create mode 100644 ssh-curve.yml diff --git a/README.md b/README.md index 49e786b..cc12a54 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,14 @@ Yet another ansible's playbook repository * unbound * Possibility to deploy unbound as a local resolver, with forwading zone to your local DNS server (ie .lan, .home, ...) * You need to add unbound variables (see below) +* ssh-curve : based from https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/ + * DISCLAIMER : using this role WILL trigger "breaking attempt messages" with SSH as server keys are changed, do not forget to clean your know_hosts file(s) + * needs debian jessie or later, centos 7 or later + * configure ssh to use exclusively actual most secure cipher and algorithms + * allow ssh port, listen address, password authent customization + * generate ed25519 keys for server instead of RSA + * configure ssh client to use strong algorithms + * will create compatibility problem with old ssh versions (openwrt, old putty, debian wheezy) ## example host file ===== @@ -172,4 +180,11 @@ rudder_server: 192.168.0.100 unbound_local_zone: "lan" unbound_forward_dns: XXX.XXX.XXX.XXX +# ssh-curve +# ssh_port: (default 22) +# ssh_ipv4_listen: (default "0.0.0.0") +# ssh_ipv6_listen: (default "::") +# ssh_authorizedkeysfile: (default ".ssh/authorized_keys") +# ssh_pwd_authent: (default "no") + ``` diff --git a/roles/ssh-curve/files/ssh_config b/roles/ssh-curve/files/ssh_config new file mode 100644 index 0000000..d061fd4 --- /dev/null +++ b/roles/ssh-curve/files/ssh_config @@ -0,0 +1,11 @@ +Host * + GSSAPIAuthentication no + ForwardX11Trusted yes + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS + KexAlgorithms curve25519-sha256@libssh.org + Ciphers chacha20-poly1305@openssh.com + MACs umac-128-etm@openssh.com + UseRoaming no diff --git a/roles/ssh-curve/handlers/main.yml b/roles/ssh-curve/handlers/main.yml new file mode 100644 index 0000000..7e8e7be --- /dev/null +++ b/roles/ssh-curve/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: restart ssh + service: name={{ ssh_daemon }} state=restarted \ No newline at end of file diff --git a/roles/ssh-curve/tasks/main.yml b/roles/ssh-curve/tasks/main.yml new file mode 100644 index 0000000..e9b3869 --- /dev/null +++ b/roles/ssh-curve/tasks/main.yml @@ -0,0 +1,56 @@ +--- + +# Ce role permet de deployer des fichiers de configurations SSH n'utilisant que des +# algorithmes consideres comme sur, notamment bases sur les courbes elliptiques. +# Adaptation de https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/ +# WARN : peut poser des problemes de compatibilites avec les vieux SSH (< 6.7) + +- name: Import OS variables + include_vars: "{{ ansible_os_family }}.yml" + tags: + - ssh-curve + +- name: upload sshd_config + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + backup: yes + tags: + - ssh-curve + notify: restart ssh + +- name: upload ssh_config (for client connexion) + copy: + src: ssh_config + dest: /etc/ssh/ssh_config + backup: yes + tags: + - ssh-curve + notify: restart ssh + +- name: remove obsoletes rsa and dsa keys - WARN! This WILL cause BREAKING ATTEMPT messages + file: + path: "{{ item }}" + state: absent + tags: + - ssh-curve + with_items: + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ecdsa_key.pub + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_rsa_key.pub + - /etc/ssh/ssh_host_ed25519_key + - /etc/ssh/ssh_host_ed25519_key.pub + notify: restart ssh + +- name: regenerate sshd ed25519 key to avoid cloudinit identikey problem + command: ssh-keygen -q -N "" -C "" -o -a 1000 -t ed25519 -f "/etc/ssh/ssh_host_ed25519_key" + tags: + - ssh-curve + notify: restart ssh + +- name: generate a secure ed25519 key you could ssh-copy to other servers (do not overwrite existing key by default) + command: ssh-keygen -t ed25519 -o -a 1000 -C "" -N "" -q -f "/root/.ssh/id_ed25519" + ignore_errors: yes + tags: + - ssh-curve \ No newline at end of file diff --git a/roles/ssh-curve/templates/sshd_config.j2 b/roles/ssh-curve/templates/sshd_config.j2 new file mode 100644 index 0000000..544ba6c --- /dev/null +++ b/roles/ssh-curve/templates/sshd_config.j2 @@ -0,0 +1,22 @@ + +Port {{ ssh_port|default(22) }} +ListenAddress {{ ssh_ipv4_listen|default("0.0.0.0") }} +ListenAddress {{ ssh_ipv6_listen|default("::") }} +HostKey /etc/ssh/ssh_host_ed25519_key +Ciphers chacha20-poly1305@openssh.com +MACs umac-128-etm@openssh.com +KexAlgorithms curve25519-sha256@libssh.org +AuthorizedKeysFile {{ ssh_authorizedkeysfile|default(".ssh/authorized_keys") }} +UseDNS no +SyslogFacility AUTHPRIV +PasswordAuthentication {{ ssh_pwd_authent|default("no") }} +ChallengeResponseAuthentication no +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +UsePAM yes +UsePrivilegeSeparation sandbox +X11Forwarding yes +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +Subsystem sftp {{ sftp_path }} diff --git a/roles/ssh-curve/vars/Debian.yml b/roles/ssh-curve/vars/Debian.yml new file mode 100644 index 0000000..ec4d2bf --- /dev/null +++ b/roles/ssh-curve/vars/Debian.yml @@ -0,0 +1,5 @@ +--- +##Variables pour Debian OS + +sftp_path: "/usr/lib/openssh/sftp-server" +ssh_daemon: "ssh" \ No newline at end of file diff --git a/roles/ssh-curve/vars/RedHat.yml b/roles/ssh-curve/vars/RedHat.yml new file mode 100644 index 0000000..d9bc544 --- /dev/null +++ b/roles/ssh-curve/vars/RedHat.yml @@ -0,0 +1,5 @@ +--- +##Variables pour RedHat OS + +sftp_path: "/usr/libexec/openssh/sftp-server" +ssh_daemon: "sshd" \ No newline at end of file diff --git a/roles/ssh-curve/vars/Virtuozzo.yml b/roles/ssh-curve/vars/Virtuozzo.yml new file mode 120000 index 0000000..f802000 --- /dev/null +++ b/roles/ssh-curve/vars/Virtuozzo.yml @@ -0,0 +1 @@ +RedHat.yml \ No newline at end of file diff --git a/ssh-curve.yml b/ssh-curve.yml new file mode 100644 index 0000000..9d478e2 --- /dev/null +++ b/ssh-curve.yml @@ -0,0 +1,12 @@ +--- +# Playbook permettant de deployer une configuration openssh server basee uniquement sur les algo les plus costauds actuels + +- name: Deployer la configuration ssh courbe elliptique + hosts: all + user: root + gather_facts: yes + + roles: + - ssh-curve + +# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: