Regenerate RSA key with size 4096 bits #376
Conversation
|
This is a good addition. However we should use the https://docs.ansible.com/ansible/latest/collections/community/crypto/openssh_keypair_module.html module for that? @micheelengronne should we add this to the ssh baseline? |
I replaced the shell module with the mentioned module as it provides a better and more reliable interface, but one problem occurred in the case of idempotency, since the openssh_keypair module needs to read the key to provide idempotency (refer to the screenshot attached), we need to set required ownership and group based on specific OS vars and this one is resolved with OS specific vars: thank you for your suggestion.
|
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
|
@rndmh3ro @micheelengronne |
|
I'll have to take a look. Didn't have time yet |
|
NP, thank you. |
|
@rndmh3ro I think so. The ssh-baseline should reflect the current secure standards first. |
| path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" | ||
| owner: "{{ ssh_host_keys_owner }}" | ||
| group: "{{ ssh_host_keys_group }}" | ||
| mode: "0600" |
There was a problem hiding this comment.
I found some references, that we need read access for group on RHEL systems on this file, making it 0640 .
There was a problem hiding this comment.
You're right. I fixed it in the last commit.
|
PR for baseline is open dev-sec/ssh-baseline#188 |
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
|
Great, thank you! |
Thank you all. |
* regenerate RSA key with size 4096 bits Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com> * fixed lint problem Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com> * fixed E301 lint error Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com> * added host keys related vars Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com> * used openssh_keypair module Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com> * changed RSA private key mode to 0640 Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com> * specified condition to prevent wrong file mode on debian-based OS Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
…4096 bits keypair - ref. dev-sec/ansible-collection-hardening#376 > According to NIST standards, achieving a security strength of 128 (2019 - 2030 & beyond) requires a factoring modulus with a length of at least 3072 bits, and since there is no major performance difference between RSA of size 2048 bits and RSA of size 4096 bits keys, it's better to ship SSH with RSA key of size 4096 bits. - https://www.keylength.com/en/4/
According to NIST standards, achieving a security strength of 128 (2019 - 2030 & beyond) requires a factoring modulus with a length of at least 3072 bits, and since there is no major performance difference between RSA of size 2048 bits and RSA of size 4096 bits keys, it's better to ship SSH with RSA key of size 4096 bits.