dev-sec · rndmh3ro · Jun 20, 2020 · Jun 9, 2020 · Jun 9, 2020 · Jun 9, 2020
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,38 +1,38 @@
 # true if IPv6 is needed
-network_ipv6_enable: false              # sshd + ssh
+network_ipv6_enable: false          # sshd + ssh
 
 # true if sshd should be started and enabled
-ssh_server_enabled: true               # sshd
+ssh_server_enabled: true            # sshd
 
 # true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
-ssh_use_dns: false                      # sshd
+ssh_use_dns: false                  # sshd
 
 # true or value if compression is needed
-ssh_client_compression: false           # ssh
-ssh_compression: false                  # sshd
+ssh_client_compression: false       # ssh
+ssh_compression: false              # sshd
 
 # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
 
 # If true, password login is allowed
-ssh_client_password_login: false          # ssh
-ssh_server_password_login: false          # sshd
+ssh_client_password_login: false    # ssh
+ssh_server_password_login: false    # sshd
 
 # ports on which ssh-server should listen
-ssh_server_ports: ['22']      # sshd
+ssh_server_ports: ['22']            # sshd
 
 # port to which ssh-client should connect
-ssh_client_port: '22'         # ssh
+ssh_client_port: '22'               # ssh
 
 # one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
-ssh_listen_to: ['0.0.0.0']    # sshd
+ssh_listen_to: ['0.0.0.0']          # sshd
 
 # Host keys to look for when starting sshd.
-ssh_host_key_files: []  # sshd
+ssh_host_key_files: []              # sshd
 
 # Specifies the host key algorithms that the server offers
-ssh_host_key_algorithms: []  # sshd
+ssh_host_key_algorithms: []         # sshd
 
 # specifies the time allowed for successful authentication to the SSH server
 ssh_login_grace_time: 30s
@@ -43,13 +43,13 @@ ssh_max_auth_retries: 2
 # Specifies the maximum number of open sessions permitted from a given connection
 ssh_max_sessions: 10
 
-ssh_client_alive_interval: 300          # sshd
-ssh_client_alive_count: 3               # sshd
+ssh_client_alive_interval: 300      # sshd
+ssh_client_alive_count: 3           # sshd
 
 # Allow SSH Tunnels
 ssh_permit_tunnel: false
 
-# Hosts with custom options.            # ssh
+# Hosts with custom options.        # ssh
 # Example:
 # ssh_remote_hosts:
 #   - names: ['example.com', 'example2.com']
@@ -59,23 +59,23 @@ ssh_permit_tunnel: false
 ssh_remote_hosts: []
 
 # Set this to "without-password" or "yes" to allow root to login
-ssh_permit_root_login: 'no'          # sshd
+ssh_permit_root_login: 'no'         # sshd
 
 # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
-ssh_allow_tcp_forwarding: 'no'        # sshd
+ssh_allow_tcp_forwarding: 'no'      # sshd
 
 # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
 # Set to 'clientspecified' to allow the client to specify which address to bind to.
-ssh_gateway_ports: false                # sshd
+ssh_gateway_ports: false            # sshd
 
 # false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
-ssh_allow_agent_forwarding: false       # sshd
+ssh_allow_agent_forwarding: false   # sshd
 
 # true if SSH has PAM support
 ssh_pam_support: true
 
 # false to disable pam authentication.
-ssh_use_pam: true # sshd
+ssh_use_pam: true                   # sshd
 
 # specify AuthenticationMethods
 sshd_authenticationmethods: 'publickey'
@@ -87,29 +87,29 @@ ssh_gssapi_support: false
 ssh_kerberos_support: true
 
 # if specified, login is disallowed for user names that match one of the patterns.
-ssh_deny_users: ''      # sshd
+ssh_deny_users: ''                  # sshd
 
 # if specified, login is allowed only for user names that match one of the patterns.
-ssh_allow_users: ''      # sshd
+ssh_allow_users: ''                 # sshd
 
 # if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
-ssh_deny_groups: ''      # sshd
+ssh_deny_groups: ''                 # sshd
 
 # if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
-ssh_allow_groups: ''      # sshd
+ssh_allow_groups: ''                # sshd
 
 # change default file that contains the public keys that can be used for user authentication.
-ssh_authorized_keys_file: ''      # sshd
+ssh_authorized_keys_file: ''        # sshd
 
 # specifies the file containing trusted certificate authorities public keys used to sign user certificates.
-ssh_trusted_user_ca_keys_file: ''      # sshd
+ssh_trusted_user_ca_keys_file: ''   # sshd
 
 # set the trusted certificate authorities public keys used to sign user certificates.
 # Example:
 # ssh_trusted_user_ca_keys:
 #   - 'ssh-rsa ... comment1'
 #   - 'ssh-rsa ... comment2'
-ssh_trusted_user_ca_keys: []      # sshd
+ssh_trusted_user_ca_keys: []        # sshd
 
 # specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
 # Example:
@@ -119,26 +119,26 @@ ssh_trusted_user_ca_keys: []      # sshd
 # replaced by the username of that user. After expansion, the path is taken to be
 # an absolute path or one relative to the user's home directory.
 #
-ssh_authorized_principals_file: ''      # sshd
+ssh_authorized_principals_file: ''  # sshd
 
 # list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
 # Example:
 # ssh_authorized_principals:
 #   - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
 #   - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }
-ssh_authorized_principals: []      # sshd
+ssh_authorized_principals: []       # sshd
 
 # false to disable printing of the MOTD
-ssh_print_motd: false      # sshd
+ssh_print_motd: false               # sshd
 
 # false to disable display of last login information
-ssh_print_last_log: false    # sshd
+ssh_print_last_log: false           # sshd
 
 # false to disable serving /etc/ssh/banner.txt before authentication is allowed
-ssh_banner: false # sshd
+ssh_banner: false                   # sshd
 
 # false to disable distribution version leakage during initial protocol handshake
-ssh_print_debian_banner: false # sshd (Debian OS family only)
+ssh_print_debian_banner: false      # sshd (Debian OS family only)
 
 # true to enable sftp configuration
 sftp_enabled: false
@@ -156,19 +156,19 @@ sftp_chroot_dir: /home/%u
 ssh_client_roaming: false
 
 # list of hashes (containing user and rules) to generate Match User blocks for.
-ssh_server_match_user: false            # sshd
+ssh_server_match_user: false        # sshd
 
 # list of hashes (containing group and rules) to generate Match Group blocks for.
-ssh_server_match_group: false           # sshd
+ssh_server_match_group: false       # sshd
 
 # list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
-ssh_server_match_address: false           # sshd
+ssh_server_match_address: false     # sshd
 
 ssh_server_permit_environment_vars: 'no'
 ssh_server_accept_env_vars : ''
 
 # maximum number of concurrent unauthenticated connections to the SSH daemon
-ssh_max_startups: '10:30:100'           # sshd
+ssh_max_startups: '10:30:100'       # sshd
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,4 +1,6 @@
 - name: restart sshd
-  service: name={{ sshd_service_name }} state=restarted
-  when: "(ssh_server_enabled|bool)"
+  service:
+    name: '{{ sshd_service_name }}'
+    state: restarted
+  when: ssh_server_enabled | bool
   become: yes
diff --git a/tasks/ca_keys_and_principals.yml b/tasks/ca_keys_and_principals.yml
@@ -1,5 +1,5 @@
 ---
-- name: Set ssh CA pub keys
+- name: set ssh CA pub keys
   template:
     src: 'trusted_user_ca_keys.j2'
     dest: '{{ ssh_trusted_user_ca_keys_file }}'
@@ -8,20 +8,20 @@
     group: '{{ ssh_group }}'
   notify: restart sshd
 
-- name: Create ssh authorized principals directories
+- name: create ssh authorized principals directories
   file:
     path: '{{ item.path | dirname }}'
     mode: '{{ item.directorymode | default(0700) }}'
     owner: '{{ item.directoryowner | default(ssh_owner) }}'
     group: '{{ item.directorygroup | default(ssh_group) }}'
     state: directory
-  with_items: '{{ ssh_authorized_principals }}'
+  loop: '{{ ssh_authorized_principals }}'
 
-- name: Set ssh authorized principals
+- name: set ssh authorized principals
   template:
     src: 'authorized_principals.j2'
     dest: '{{ item.path }}'
     mode: '{{ item.filemode | default(0600) }}'
     owner: '{{ item.owner| default(ssh_owner) }}'
     group: '{{ item.group | default(ssh_group) }}'
-  with_items: '{{ ssh_authorized_principals }}'
+  loop: '{{ ssh_authorized_principals }}'
diff --git a/tasks/crypto.yml b/tasks/crypto.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: set hostkeys according to openssh-version
   set_fact:
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']

diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -1,11 +1,11 @@
 ---
-- name: Set OS dependent variables
+- name: set OS dependent variables
   include_vars: '{{ item }}'
   with_first_found:
-   - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-   - '{{ ansible_facts.distribution }}.yml'
-   - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-   - '{{ ansible_facts.os_family }}.yml'
+    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.distribution }}.yml'
+    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.os_family }}.yml'
 
 - name: get openssh-version
   command: ssh -V
@@ -37,7 +37,7 @@
     mode: '0600'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
-    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
+    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
   notify: restart sshd
   when: ssh_server_hardening | bool
 
@@ -62,7 +62,7 @@
     group: '{{ ssh_group }}'
   when: ssh_client_hardening | bool
 
-- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
+- name: check if {{ sshd_moduli_file }} contains weak DH parameters
   shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
   register: sshd_register_moduli
   changed_when: false

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,4 +1,3 @@
 ---
-
 - include_tasks: hardening.yml
   when: ssh_hardening_enabled | bool
diff --git a/tasks/selinux.yml b/tasks/selinux.yml
@@ -4,14 +4,13 @@
     name: '{{ ssh_selinux_packages }}'
     state: present
 
-- name: "authorize {{ ssh_server_ports }} ports for selinux"
+- name: authorize {{ ssh_server_ports }} ports for selinux
   seport:
     ports: '{{ item }}'
     proto: tcp
     setype: ssh_port_t
     state: present
-  with_items:
-    - "{{ ssh_server_ports }}"
+  loop: '{{ ssh_server_ports }}'
 
 - name: check if ssh_password module is already installed
   shell: 'set -o pipefail && semodule -l | grep ssh_password'
@@ -22,35 +21,41 @@
   changed_when: false
   check_mode: no
 
-# The following tasks only get executed when selinux is in state enforcing, UsePam is 'no' and the ssh_password module is installed.
-# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
-- block:
-  - name: Create selinux custom policy drop folder
-    file:
-      path: '{{ ssh_custom_selinux_dir }}'
-      state: 'directory'
-      owner: 'root'
-      group: 'root'
-      mode: '0750'
-
-  - name: Distributing custom selinux policies
-    copy:
-      src: 'ssh_password'
-      dest: '{{ ssh_custom_selinux_dir }}'
-
-  - name: check and compile policy
-    command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
-
-  - name: create selinux policy module package
-    command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
-
-  - name: install selinux policy
-    command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
-
-  when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
-
-# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
-# See http://danwalsh.livejournal.com/12333.html for more info
+# The following tasks only get executed when selinux is in state enforcing,
+# UsePam is 'no' and the ssh_password module is not installed. See this issue for
+# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
+- when:
+    - not (ssh_use_pam | bool)
+    - ('ssh_password' not in ssh_password_module.stdout)
+  block:
+    - name: create selinux custom policy drop folder
+      file:
+        path: '{{ ssh_custom_selinux_dir }}'
+        state: 'directory'
+        owner: 'root'
+        group: 'root'
+        mode: '0750'
+
+    - name: distributing custom selinux policies
+      copy:
+        src: 'ssh_password'
+        dest: '{{ ssh_custom_selinux_dir }}'
+
+    - name: check and compile policy
+      command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
+
+    - name: create selinux policy module package
+      command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
+
+    - name: install selinux policy
+      command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
+
+
+# The following tasks only get executed when selinux is installed, UsePam is
+# 'yes' and the ssh_password module is installed. See
+# http://danwalsh.livejournal.com/12333.html for more info
 - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
   command: semodule -r ssh_password
-  when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0
+  when:
+    - ssh_use_pam | bool
+    - ('ssh_password' in ssh_password_module.stdout)
diff --git a/templates/authorized_principals.j2 b/templates/authorized_principals.j2
@@ -1,4 +1,4 @@
-# {{ansible_managed|comment}}
+{{ ansible_managed | comment }}
 
 {% for principal in item.principals %}
 {{ principal }}