@ -0,0 +1,11 @@ | |||||
Host * | |||||
GSSAPIAuthentication no | |||||
ForwardX11Trusted yes | |||||
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |||||
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |||||
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |||||
SendEnv XMODIFIERS | |||||
KexAlgorithms curve25519-sha256@libssh.org | |||||
Ciphers chacha20-poly1305@openssh.com | |||||
MACs umac-128-etm@openssh.com | |||||
UseRoaming no |
@ -0,0 +1,4 @@ | |||||
--- | |||||
- name: restart ssh | |||||
service: name={{ ssh_daemon }} state=restarted |
@ -0,0 +1,56 @@ | |||||
--- | |||||
# Ce role permet de deployer des fichiers de configurations SSH n'utilisant que des | |||||
# algorithmes consideres comme sur, notamment bases sur les courbes elliptiques. | |||||
# Adaptation de https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/ | |||||
# WARN : peut poser des problemes de compatibilites avec les vieux SSH (< 6.7) | |||||
- name: Import OS variables | |||||
include_vars: "{{ ansible_os_family }}.yml" | |||||
tags: | |||||
- ssh-curve | |||||
- name: upload sshd_config | |||||
template: | |||||
src: sshd_config.j2 | |||||
dest: /etc/ssh/sshd_config | |||||
backup: yes | |||||
tags: | |||||
- ssh-curve | |||||
notify: restart ssh | |||||
- name: upload ssh_config (for client connexion) | |||||
copy: | |||||
src: ssh_config | |||||
dest: /etc/ssh/ssh_config | |||||
backup: yes | |||||
tags: | |||||
- ssh-curve | |||||
notify: restart ssh | |||||
- name: remove obsoletes rsa and dsa keys - WARN! This WILL cause BREAKING ATTEMPT messages | |||||
file: | |||||
path: "{{ item }}" | |||||
state: absent | |||||
tags: | |||||
- ssh-curve | |||||
with_items: | |||||
- /etc/ssh/ssh_host_ecdsa_key | |||||
- /etc/ssh/ssh_host_ecdsa_key.pub | |||||
- /etc/ssh/ssh_host_rsa_key | |||||
- /etc/ssh/ssh_host_rsa_key.pub | |||||
- /etc/ssh/ssh_host_ed25519_key | |||||
- /etc/ssh/ssh_host_ed25519_key.pub | |||||
notify: restart ssh | |||||
- name: regenerate sshd ed25519 key to avoid cloudinit identikey problem | |||||
command: ssh-keygen -q -N "" -C "" -o -a 1000 -t ed25519 -f "/etc/ssh/ssh_host_ed25519_key" | |||||
tags: | |||||
- ssh-curve | |||||
notify: restart ssh | |||||
- name: generate a secure ed25519 key you could ssh-copy to other servers (do not overwrite existing key by default) | |||||
command: ssh-keygen -t ed25519 -o -a 1000 -C "" -N "" -q -f "/root/.ssh/id_ed25519" | |||||
ignore_errors: yes | |||||
tags: | |||||
- ssh-curve |
@ -0,0 +1,22 @@ | |||||
Port {{ ssh_port|default(22) }} | |||||
ListenAddress {{ ssh_ipv4_listen|default("0.0.0.0") }} | |||||
ListenAddress {{ ssh_ipv6_listen|default("::") }} | |||||
HostKey /etc/ssh/ssh_host_ed25519_key | |||||
Ciphers chacha20-poly1305@openssh.com | |||||
MACs umac-128-etm@openssh.com | |||||
KexAlgorithms curve25519-sha256@libssh.org | |||||
AuthorizedKeysFile {{ ssh_authorizedkeysfile|default(".ssh/authorized_keys") }} | |||||
UseDNS no | |||||
SyslogFacility AUTHPRIV | |||||
PasswordAuthentication {{ ssh_pwd_authent|default("no") }} | |||||
ChallengeResponseAuthentication no | |||||
GSSAPIAuthentication yes | |||||
GSSAPICleanupCredentials no | |||||
UsePAM yes | |||||
UsePrivilegeSeparation sandbox | |||||
X11Forwarding yes | |||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |||||
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |||||
Subsystem sftp {{ sftp_path }} |
@ -0,0 +1,5 @@ | |||||
--- | |||||
##Variables pour Debian OS | |||||
sftp_path: "/usr/lib/openssh/sftp-server" | |||||
ssh_daemon: "ssh" |
@ -0,0 +1,5 @@ | |||||
--- | |||||
##Variables pour RedHat OS | |||||
sftp_path: "/usr/libexec/openssh/sftp-server" | |||||
ssh_daemon: "sshd" |
@ -0,0 +1 @@ | |||||
RedHat.yml |
@ -0,0 +1,12 @@ | |||||
--- | |||||
# Playbook permettant de deployer une configuration openssh server basee uniquement sur les algo les plus costauds actuels | |||||
- name: Deployer la configuration ssh courbe elliptique | |||||
hosts: all | |||||
user: root | |||||
gather_facts: yes | |||||
roles: | |||||
- ssh-curve | |||||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |