Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

Handle a few deprecated OpenSSH options #160

Merged
merged 3 commits into from
Apr 20, 2018
Merged

Handle a few deprecated OpenSSH options #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d4e6dba
Handle a few deprecated OpenSSH options
ageis Apr 20, 2018
ed2dac1
Convert sshd_version.stdout string to float
ageis Apr 20, 2018
e84e3b5
Deprecate UseRoaming after OpenSSH 7.1
ageis Apr 20, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ All tests will be reviewed internally for their validity and overall project dir

### Document your code

As code is more often read than written, please provide documentation in all projects.
As code is more often read than written, please provide documentation in all projects.

Adhere to the respective guidelines for documentation:

Expand Down
2 changes: 1 addition & 1 deletion ansible.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# config file for ansible -- http://ansible.com/
# ==============================================

# nearly all parameters can be overridden in ansible-playbook
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
Expand Down
5 changes: 4 additions & 1 deletion templates/openssh.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,10 +82,11 @@ ForwardX11 no

# Never use host-based authentication. It can be exploited.
HostbasedAuthentication no
{% if sshd_version.stdout | float < 7.4 -%}
RhostsRSAAuthentication no

# Enable RSA authentication via identity files.
RSAAuthentication yes
{% endif %}

# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
Expand All @@ -110,5 +111,7 @@ Compression yes
#EscapeChar ~
#VisualHostKey yes

{% if sshd_version.stdout | float <= 7.1 -%}
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
{% endif %}
2 changes: 2 additions & 0 deletions templates/opensshd.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,9 @@ LogLevel VERBOSE
# --------------

# Secure Login directives.
{% if sshd_version.stdout | float < 7.5 -%}
UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
{% endif %}

LoginGraceTime 30s
MaxAuthTries {{ssh_max_auth_retries}}
Expand Down