From 95650b67ba01706199af5d6e16223d85b2246dd4 Mon Sep 17 00:00:00 2001
From: Pascal Bach <pascal.bach@siemens.com>
Date: Fri, 30 Jun 2017 14:37:52 +0200
Subject: [PATCH] Add support to specify a list of revoked public keys

Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
---
 README.md                  | 1 +
 defaults/main.yml          | 3 +++
 tasks/main.yml             | 5 +++++
 templates/opensshd.conf.j2 | 3 +++
 templates/revoked_keys.j2  | 4 ++++
 5 files changed, 16 insertions(+)
 create mode 100644 templates/revoked_keys.j2

diff --git a/README.md b/README.md
index a045739..0c3fe07 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
+|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 
 ## Example Playbook
 
diff --git a/defaults/main.yml b/defaults/main.yml
index dafa4bb..5a15718 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -160,3 +160,6 @@ ssh_challengeresponseauthentication: false
 
 #  look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
 ssh_use_dns: false
+
+# a list of public keys that are never accepted by the ssh server
+ssh_server_revoked_keys: []
diff --git a/tasks/main.yml b/tasks/main.yml
index 5df5b61..4bfbbae 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,11 @@
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
   when: sshd_version.stdout >= '6.3'
 
+- name: create revoked_keys and set permissions to root/600
+  template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
+  notify: restart sshd
+  when: ssh_server_hardening
+
 - name: create sshd_config and set permissions to root/600
   template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}" validate="/usr/sbin/sshd -T -f %s"
   notify: restart sshd
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index d482c66..2a2065d 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -208,6 +208,9 @@ Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
 DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
 {% endif %}
 
+# Reject keys that are explicitly blacklisted
+RevokedKeys /etc/ssh/revoked_keys
+
 {% if sftp_enabled %}
 # Configuration, in case SFTP is used
 ## override default of no subsystems
diff --git a/templates/revoked_keys.j2 b/templates/revoked_keys.j2
new file mode 100644
index 0000000..ccf9b73
--- /dev/null
+++ b/templates/revoked_keys.j2
@@ -0,0 +1,4 @@
+# {{ansible_managed}}
+{% for key in ssh_server_revoked_keys %}
+{{key}}
+{% endfor %}