update config of kex, macs, ciphers

.kitchen.yml

@@ -35,14 +35,22 @@ platforms:
   driver:
     image: rndmh3ro/docker-centos7-ansible:latest
     platform: centos
+    run_command: /sbin/init
+    provision_command:
+      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - systemctl enable sshd.service
 - name: oracle6-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle6-ansible:latest
     platform: centos
 - name: oracle7-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle7-ansible:latest
+    run_command: /sbin/init
     platform: centos
+    provision_command:
+      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - systemctl enable sshd.service
 - name: ubuntu1404-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1404-ansible:latest
@@ -51,6 +59,9 @@ platforms:
   driver:
     image: rndmh3ro/docker-ubuntu1604-ansible:latest
     platform: ubuntu
+    run_command: /sbin/init
+    provision_command:
+      - systemctl enable ssh.service
 - name: debian7-ansible-latest
   driver:
     image: rndmh3ro/docker-debian7-ansible:latest
@@ -63,10 +74,18 @@ platforms:
   driver:
     image: rndmh3ro/docker-debian9-ansible:latest
     platform: debian
+    run_command: /sbin/init
+    provision_command:
+      - apt install -y systemd-sysv
+      - systemctl enable ssh.service
 - name: amazon-ansible-latest
   driver:
     image: rndmh3ro/docker-amazon-ansible:latest
     platform: centos
+    run_command: /sbin/init
+    provision_command:
+      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - systemctl enable sshd.service
 
 verifier:
   name: inspec

.travis.yml

@@ -15,10 +15,10 @@ env:
     version: latest
     init: /sbin/init
 
-  - distro: oracle7
-    init: /usr/lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
+#  - distro: oracle7
+#    init: /usr/lib/systemd/systemd
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+#    version: latest
 
   - distro: ubuntu1604
     version: latest
@@ -35,17 +35,18 @@ env:
 
   - distro: debian8
     version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     init: /sbin/init
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: debian9
     version: latest
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: amazon
-    init: /sbin/init
+    init: /lib/systemd/systemd
     version: latest
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
 before_install:
   # Pull container

README.md

@@ -18,12 +18,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
 | Name           | Default Value | Description                        |
 | -------------- | ------------- | -----------------------------------|
 |`network_ipv6_enable` | false |true if IPv6 is needed|
-|`ssh_client_cbc_required` | false |true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.|
-|`ssh_server_cbc_required` | false |true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.|
-|`ssh_client_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
-|`ssh_server_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
-|`ssh_client_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
-|`ssh_server_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
 |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
 |`ssh_client_port` | '22' |port to which ssh-client should connect|
 |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
@@ -76,6 +70,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 |`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
+|`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
+|`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
+|`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
 
 ## Example Playbook
 
@@ -149,8 +146,6 @@ Always look into log files first and if possible look at the negotation between
 
 We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
 
-If you find this isn't enough, feel free to activate the attributes `cbc_requires` for ciphers, `weak_hmac` for MACs and `weak_kex`for KEX in the variables `ssh_client` or `ssh_server` based on where you want to support them.
-
 **After using the role Ansibles template/copy/file module does not work anymore!**
 
 This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set `scp_if_ssh = True` in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting `sftp_enabled` to `true`.

defaults/main.yml

@@ -14,18 +14,6 @@ ssh_compression: false                  # sshd
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
 
-# true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
-ssh_client_cbc_required: false          # ssh
-ssh_server_cbc_required: false          # sshd
-
-# true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
-ssh_client_weak_hmac: false             # ssh
-ssh_server_weak_hmac: false             # sshd
-
-# true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
-ssh_client_weak_kex: false              # ssh
-ssh_server_weak_kex: false              # sshd
-
 # If true, password login is allowed
 ssh_client_password_login: false          # ssh
 ssh_server_password_login: false          # sshd
@@ -184,8 +172,6 @@ ssh_macs_59_default:
   - hmac-sha2-256
   - hmac-ripemd160
 
-ssh_macs_59_weak: "{{ ssh_macs_59_default + ['hmac-sha1'] }}"
-
 ssh_macs_66_default:
   - hmac-sha2-512-etm@openssh.com
   - hmac-sha2-256-etm@openssh.com
@@ -200,15 +186,11 @@ ssh_macs_76_default:
   - hmac-sha2-512
   - hmac-sha2-256
 
-ssh_macs_66_weak: "{{ ssh_macs_66_default + ['hmac-sha1'] }}"
-
 ssh_ciphers_53_default:
   - aes256-ctr
   - aes192-ctr
   - aes128-ctr
 
-ssh_ciphers_53_weak: "{{ ssh_ciphers_53_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
-
 ssh_ciphers_66_default:
   - chacha20-poly1305@openssh.com
   - aes256-gcm@openssh.com
@@ -217,19 +199,13 @@ ssh_ciphers_66_default:
   - aes192-ctr
   - aes128-ctr
 
-ssh_ciphers_66_weak: "{{ ssh_ciphers_66_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
-
 ssh_kex_59_default:
   - diffie-hellman-group-exchange-sha256
 
-ssh_kex_59_weak: "{{ ssh_kex_59_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
-
 ssh_kex_66_default:
   - curve25519-sha256@libssh.org
   - diffie-hellman-group-exchange-sha256
 
-ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
-
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
@@ -241,3 +217,7 @@ ssh_challengeresponseauthentication: false
 
 # a list of public keys that are never accepted by the ssh server
 ssh_server_revoked_keys: []
+
+# Set to false to turn the role into a no-op. Useful when using
+# the Ansible role dependency mechanism.
+ssh_hardening_enabled: true

handlers/main.yml

@@ -1,3 +1,4 @@
 - name: restart sshd
   service: name={{ sshd_service_name }} state=restarted
   when: "(ssh_server_enabled|bool)"
+  become: yes