Merge pull request #97 from dev-sec/ssh_moduli

Remove small dh primes
dev-sec · Mar 9, 2017 · 4f67096 · 4f67096
2 parents 98034c0 + bff2813
commit 4f67096
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -39,6 +39,7 @@ env:
 
   - distro: debian8
     version: latest
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     init: /sbin/init
 
   - distro: debian9

diff --git a/README.md b/README.md
@@ -44,6 +44,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_enabled` | false | true to enable sftp configuration|
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
+|`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
 
 ## Example Playbook
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -140,3 +140,5 @@ ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffi
 
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
+
+sshd_moduli_minimum: 2048
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -15,6 +15,18 @@
   template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner=root group=root
   when: ssh_client_hardening
 
+- name: Check if /etc/ssh/moduli contains weak DH parameters
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
+  register: sshd_register_moduli
+  changed_when: false
+  always_run: True
+
+- name: remove all small primes
+  shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+         [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+  notify: restart sshd
+  when: sshd_register_moduli.stdout
+
 - name: test to see if selinux is running
   command: getenforce
   register: sestatus