Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit 5c68c65

Browse files
rndmh3rorndmh3ro
authored
Merge pull request #120 from bachp/revoked-keys
Add support to specify a list of revoked public keys
2 parents 6b782ef + 95650b6 commit 5c68c65

File tree

5 files changed

+16
-0
lines changed

5 files changed

+16
-0
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
4949
|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
5050
|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
5151
|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
52+
|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
5253

5354
## Example Playbook
5455

defaults/main.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,3 +160,6 @@ ssh_challengeresponseauthentication: false
160160

161161
# look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
162162
ssh_use_dns: false
163+
164+
# a list of public keys that are never accepted by the ssh server
165+
ssh_server_revoked_keys: []

tasks/main.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,11 @@
2828
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
2929
when: sshd_version.stdout >= '6.3'
3030

31+
- name: create revoked_keys and set permissions to root/600
32+
template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
33+
notify: restart sshd
34+
when: ssh_server_hardening
35+
3136
- name: create sshd_config and set permissions to root/600
3237
template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}" validate="/usr/sbin/sshd -T -f %s"
3338
notify: restart sshd

templates/opensshd.conf.j2

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -208,6 +208,9 @@ Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
208208
DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
209209
{% endif %}
210210

211+
# Reject keys that are explicitly blacklisted
212+
RevokedKeys /etc/ssh/revoked_keys
213+
211214
{% if sftp_enabled %}
212215
# Configuration, in case SFTP is used
213216
## override default of no subsystems

templates/revoked_keys.j2

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# {{ansible_managed}}
2+
{% for key in ssh_server_revoked_keys %}
3+
{{key}}
4+
{% endfor %}

0 commit comments

Comments
 (0)