Merge pull request #245 from szEvEz/refactor-authentication-methods

refactor authenticationmethod settings, allow user to set authenticat…
dev-sec · Oct 13, 2019 · a5a1886 · a5a1886
2 parents b6f947c + 686972f
commit a5a1886
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -54,8 +54,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
-|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
-|`ssh_pam_device` | false | `true` to enable  public key auth with pam device 2FA |
 |`ssh_banner` | `false` | `true` to print a banner on login |
 |`ssh_client_hardening` | `true` | `false` to stop harden the client |
 |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
@@ -79,6 +77,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd |
 |`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd | 
 |`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login |
+|`sshd_authenticationmethods` | `publickey` | Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
 
 ## Configuring settings not listed in role-variables
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -67,11 +67,8 @@ ssh_pam_support: true
 # false to disable pam authentication.
 ssh_use_pam: true # sshd
 
-# false to disable google 2fa authentication
-ssh_google_auth: false # sshd
-
-# false to disable pam device 2FA input
-ssh_pam_device: false # sshd
+# specify AuthenticationMethods
+sshd_authenticationmethods: 'publickey'
 
 # true if SSH support GSSAPI
 ssh_gssapi_support: false

diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -69,7 +69,6 @@
   when:
     - ssh_use_pam | bool
     - ssh_challengeresponseauthentication | bool
-    - ssh_google_auth | bool
 
 - name: include selinux specific tasks
   include_tasks: selinux.yml

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -107,14 +107,11 @@ HostbasedAuthentication no
 {% if ssh_pam_support -%}
 UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
 {% endif %}
-{% if ssh_google_auth %}
-# Force public key auth then ask for google auth code
-AuthenticationMethods publickey,keyboard-interactive
-{% endif %}
 
-# Force public key auth then ask for pam device input
-{% if ssh_pam_device %}
-AuthenticationMethods publickey,keyboard-interactive:pam
+# Set AuthenticationMethods per default to publickey
+# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2
+{% if sshd_version.stdout is version('6.2', '>=') %}
+AuthenticationMethods {{ sshd_authenticationmethods }}
 {% endif %}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.