From fdd8daef2b197aaec7dc4673f0d8bdf9cef6a6ad Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 22 May 2016 12:30:19 +0200 Subject: [PATCH 1/5] inital commit for debian 8 testing --- .kitchen.yml | 5 ----- templates/openssh.conf.j2 | 16 ++++++---------- templates/opensshd.conf.j2 | 16 ++++++---------- 3 files changed, 12 insertions(+), 25 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index d379f6e..b0d3b34 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -39,10 +39,6 @@ platforms: driver_config: box: oracle-6.5 box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box -- name: debian-6 - driver_config: - box: debian-6 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box - name: debian-7 driver_config: box: debian-7 @@ -58,4 +54,3 @@ suites: provisioner: ansible_version: 1.9.4 - name: ansible_latest - diff --git a/templates/openssh.conf.j2 b/templates/openssh.conf.j2 index 198187c..d240021 100644 --- a/templates/openssh.conf.j2 +++ b/templates/openssh.conf.j2 @@ -47,13 +47,13 @@ StrictHostKeyChecking ask # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # {% if ssh_client_cbc_required -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_weak | join(',') }} {% else -%} Ciphers {{ ssh_ciphers_53_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_default | join(',') }} {% else -%} Ciphers {{ ssh_ciphers_53_default | join(',') }} @@ -65,22 +65,18 @@ StrictHostKeyChecking ask # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # {% if ssh_client_weak_hmac -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_weak | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} - {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%} - MACs {{ ssh_macs_53_default | join(',') }} {% else -%} MACs {{ ssh_macs_59_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_default | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} - {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%} - MACs {{ ssh_macs_53_default | join(',') }} {% else -%} MACs {{ ssh_macs_59_default | join(',') }} {% endif %} @@ -93,14 +89,14 @@ StrictHostKeyChecking ask # Weak kex is sometimes required if older package versions are used # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} {% if ssh_client_weak_kex -%} KexAlgorithms {{ ssh_kex_66_weak | join(',') }} {% else -%} KexAlgorithms {{ ssh_kex_66_default | join(',') }} {% endif %} {% else -%} - {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%} + {% if ansible_os_family in ['Oracle Linux', 'RedHat'] -%} #KexAlgorithms {% elif ssh_client_weak_kex -%} KexAlgorithms {{ ssh_kex_59_weak | join(',') }} diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index 2582ac2..ea73357 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -51,13 +51,13 @@ LogLevel VERBOSE # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # {% if ssh_server_cbc_required -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_weak | join(',') }} {% else %} Ciphers {{ ssh_ciphers_53_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_default | join(',') }} {% else -%} Ciphers {{ ssh_ciphers_53_default | join(',') }} @@ -70,22 +70,18 @@ LogLevel VERBOSE # {% if ssh_server_weak_hmac -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_weak | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} - {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%} - MACs {{ ssh_macs_53_default | join(',') }} {% else -%} MACs {{ ssh_macs_59_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_default | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} - {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%} - MACs {{ ssh_macs_53_default | join(',') }} {% else -%} MACs {{ ssh_macs_59_default | join(',') }} {% endif %} @@ -98,14 +94,14 @@ LogLevel VERBOSE # Weak kex is sometimes required if older package versions are used # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%} +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} {% if ssh_server_weak_kex -%} KexAlgorithms {{ ssh_kex_66_weak | join(',') }} {% else -%} KexAlgorithms {{ ssh_kex_66_default | join(',') }} {% endif %} {% else -%} - {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%} + {% if ansible_os_family in ['Oracle Linux', 'RedHat'] -%} #KexAlgorithms {% elif ssh_server_weak_kex -%} KexAlgorithms {{ sshd_kex_59_weak | join(',') }} From ab3e9667a4ebe7843e40f462c78e4f6ce54bfdc7 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 7 Jun 2016 18:29:49 +0200 Subject: [PATCH 2/5] debian 8 support, verifier changes, metadata change * add support for debian 8 * cleanup kitchen.yml, add inspec support * remove oracle from meta file, bc it does not exist in ansible galaxy --- .kitchen.yml | 25 ++++++++++++++++++++++--- README.md | 33 ++++++++++++++++++++++++++++++--- meta/main.yml | 3 --- 3 files changed, 52 insertions(+), 9 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index b0d3b34..3d6a6f9 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -1,9 +1,9 @@ --- driver: name: vagrant + provisioner: name: ansible_playbook - test_repo_uri: https://github.com/hardening-io/tests-ssh-hardening.git hosts: all require_ansible_repo: false require_ansible_omnibus: true @@ -11,9 +11,22 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true ansible_diff: true +<<<<<<< 7d5e6960c817dfd191f1cb095bc237064424e8c4 roles_path: ../ansible-ssh-hardening/ playbook: default.yml +======= + hosts: all + roles_path: ../ansible-ssh-hardening/ + playbook: default.yml + +verifier: + name: inspec + sudo: true + inspec_tests: + - https://github.com/dev-sec/tests-ssh-hardening + +>>>>>>> debian 8 support, verifier changes, metadata change platforms: - name: ubuntu-12.04 driver_config: @@ -47,10 +60,16 @@ platforms: driver_config: box: debian-8 box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box -verifier: - name: inspec + suites: +<<<<<<< 7d5e6960c817dfd191f1cb095bc237064424e8c4 - name: ansible_1.9 provisioner: ansible_version: 1.9.4 - name: ansible_latest +======= +- name: ssh-ansible_1.9 + provisioner: + ansible_version: 1.9.4 +- name: ssh-ansible_latest +>>>>>>> debian 8 support, verifier changes, metadata change diff --git a/README.md b/README.md index 76e20c4..4f7dc59 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ This role provides secure ssh-client and ssh-server configurations. * Ansible ## Role Variables +<<<<<<< 7d5e6960c817dfd191f1cb095bc237064424e8c4 | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| |`network_ipv6_enable` | false |true if IPv6 is needed| @@ -42,6 +43,35 @@ This role provides secure ssh-client and ssh-server configurations. |`sftp_enabled` | false | true to enable sftp configuration| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`ssh_client_roaming` | false | enable experimental client roaming| +======= +* ``network_ipv6_enable`` - true if IPv6 is needed +* ``ssh_client_cbc_required`` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. +* ``ssh_server_cbc_required`` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. +* ``ssh_client_weak_hmac`` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. +* ``ssh_server_weak_hmac`` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. +* ``ssh_client_weak_kex`` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. +* ``ssh_server_weak_kex`` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. +* ``ssh_server_ports: ['22']`` - ports to which ssh-server should listen to +* ``ssh_client_ports: ['22']`` - ports to which ssh-client should connect to +* ``ssh_listen_to: ['0.0.0.0']`` - one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons! +* ``ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']`` - Host keys to look for when starting sshd. +* ``ssh_client_alive_interval: 600`` +* ``ssh_client_alive_count: 3`` +* ``ssh_remote_hosts: []`` - one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons! +* ``ssh_allow_root_with_key`` - false to disable root login altogether. Set to true to allow root to login via key-based mechanism. +* ``ssh_allow_tcp_forwarding`` false to disable TCP Forwarding. Set to true to allow TCP Forwarding. +* ``ssh_allow_agent_forwarding`` false to disable Agent Forwarding. Set to true to allow Agent Forwarding. +* ``ssh_use_pam: false`` - false to disable pam authentication. +* ``ssh_deny_users: ''`` - if specified, login is disallowed for user names that match one of the patterns. +* ``ssh_allow_users: ''`` - if specified, login is allowed only for user names that match one of the patterns. +* ``ssh_deny_groups: ''`` - if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. +* ``ssh_allow_groups: ''`` - if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. +* ``ssh_print_motd`` - false to disable printing of the MOTD +* ``ssh_print_last_log`` - false to disable display of last login information +* ``sftp_enabled`` - true to enable sftp configuration +* ``sftp_chroot_dir`` - change default sftp chroot location +* ``ssh_client_roaming`` - enable experimental client roaming +>>>>>>> debian 8 support, verifier changes, metadata change ## Example Playbook @@ -60,9 +90,6 @@ Next install test-kitchen: gem install bundler bundle install -# Fetch tests -bundle exec thor kitchen:fetch-remote-tests - # fast test on one machine bundle exec kitchen test default-ubuntu-1204 diff --git a/meta/main.yml b/meta/main.yml index 5c4f47f..7c0ac87 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -9,9 +9,6 @@ galaxy_info: - name: EL versions: - 6 - - name: Oracle Linux - versions: - - 6 - name: Ubuntu versions: - precise From aec52b0907693ede0b4a359b84822aaf5dd34943 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 8 Jun 2016 17:26:06 +0200 Subject: [PATCH 3/5] merge kitchen.yml --- .kitchen.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 3d6a6f9..bf763ba 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -11,11 +11,6 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true ansible_diff: true -<<<<<<< 7d5e6960c817dfd191f1cb095bc237064424e8c4 - roles_path: ../ansible-ssh-hardening/ - playbook: default.yml - -======= hosts: all roles_path: ../ansible-ssh-hardening/ playbook: default.yml @@ -26,7 +21,6 @@ verifier: inspec_tests: - https://github.com/dev-sec/tests-ssh-hardening ->>>>>>> debian 8 support, verifier changes, metadata change platforms: - name: ubuntu-12.04 driver_config: @@ -62,14 +56,7 @@ platforms: box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: -<<<<<<< 7d5e6960c817dfd191f1cb095bc237064424e8c4 -- name: ansible_1.9 - provisioner: - ansible_version: 1.9.4 -- name: ansible_latest -======= - name: ssh-ansible_1.9 provisioner: ansible_version: 1.9.4 - name: ssh-ansible_latest ->>>>>>> debian 8 support, verifier changes, metadata change From 0d62d4148e5a6449864f7a5005dc0df995f216ab Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 8 Jun 2016 17:29:42 +0200 Subject: [PATCH 4/5] remove merge conflict --- README.md | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/README.md b/README.md index 4f7dc59..0b29248 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,6 @@ This role provides secure ssh-client and ssh-server configurations. * Ansible ## Role Variables -<<<<<<< 7d5e6960c817dfd191f1cb095bc237064424e8c4 | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| |`network_ipv6_enable` | false |true if IPv6 is needed| @@ -43,35 +42,6 @@ This role provides secure ssh-client and ssh-server configurations. |`sftp_enabled` | false | true to enable sftp configuration| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`ssh_client_roaming` | false | enable experimental client roaming| -======= -* ``network_ipv6_enable`` - true if IPv6 is needed -* ``ssh_client_cbc_required`` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. -* ``ssh_server_cbc_required`` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. -* ``ssh_client_weak_hmac`` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. -* ``ssh_server_weak_hmac`` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. -* ``ssh_client_weak_kex`` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. -* ``ssh_server_weak_kex`` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. -* ``ssh_server_ports: ['22']`` - ports to which ssh-server should listen to -* ``ssh_client_ports: ['22']`` - ports to which ssh-client should connect to -* ``ssh_listen_to: ['0.0.0.0']`` - one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons! -* ``ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']`` - Host keys to look for when starting sshd. -* ``ssh_client_alive_interval: 600`` -* ``ssh_client_alive_count: 3`` -* ``ssh_remote_hosts: []`` - one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons! -* ``ssh_allow_root_with_key`` - false to disable root login altogether. Set to true to allow root to login via key-based mechanism. -* ``ssh_allow_tcp_forwarding`` false to disable TCP Forwarding. Set to true to allow TCP Forwarding. -* ``ssh_allow_agent_forwarding`` false to disable Agent Forwarding. Set to true to allow Agent Forwarding. -* ``ssh_use_pam: false`` - false to disable pam authentication. -* ``ssh_deny_users: ''`` - if specified, login is disallowed for user names that match one of the patterns. -* ``ssh_allow_users: ''`` - if specified, login is allowed only for user names that match one of the patterns. -* ``ssh_deny_groups: ''`` - if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -* ``ssh_allow_groups: ''`` - if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -* ``ssh_print_motd`` - false to disable printing of the MOTD -* ``ssh_print_last_log`` - false to disable display of last login information -* ``sftp_enabled`` - true to enable sftp configuration -* ``sftp_chroot_dir`` - change default sftp chroot location -* ``ssh_client_roaming`` - enable experimental client roaming ->>>>>>> debian 8 support, verifier changes, metadata change ## Example Playbook From a09eb519dc558d19f91a5f9925fa53cf20411779 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 13 Jun 2016 18:43:29 +0200 Subject: [PATCH 5/5] add parantheses --- templates/openssh.conf.j2 | 12 ++++++------ templates/opensshd.conf.j2 | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/templates/openssh.conf.j2 b/templates/openssh.conf.j2 index d240021..29c91e0 100644 --- a/templates/openssh.conf.j2 +++ b/templates/openssh.conf.j2 @@ -9,7 +9,7 @@ # =================== # Address family should always be limited to the active network configuration. -AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }} +AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }} # Restrict the following configuration to be limited to this Host. {% for host in ssh_remote_hosts -%} Host {{host}} @@ -47,13 +47,13 @@ StrictHostKeyChecking ask # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # {% if ssh_client_cbc_required -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_weak | join(',') }} {% else -%} Ciphers {{ ssh_ciphers_53_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_default | join(',') }} {% else -%} Ciphers {{ ssh_ciphers_53_default | join(',') }} @@ -65,7 +65,7 @@ StrictHostKeyChecking ask # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # {% if ssh_client_weak_hmac -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_weak | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} @@ -73,7 +73,7 @@ StrictHostKeyChecking ask MACs {{ ssh_macs_59_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_default | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} @@ -89,7 +89,7 @@ StrictHostKeyChecking ask # Weak kex is sometimes required if older package versions are used # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} +{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} {% if ssh_client_weak_kex -%} KexAlgorithms {{ ssh_kex_66_weak | join(',') }} {% else -%} diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index ea73357..d948e27 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -51,13 +51,13 @@ LogLevel VERBOSE # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # {% if ssh_server_cbc_required -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_weak | join(',') }} {% else %} Ciphers {{ ssh_ciphers_53_weak | join(',') }} {% endif %} {% else -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} Ciphers {{ ssh_ciphers_66_default | join(',') }} {% else -%} Ciphers {{ ssh_ciphers_53_default | join(',') }} @@ -70,7 +70,7 @@ LogLevel VERBOSE # {% if ssh_server_weak_hmac -%} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} MACs {{ ssh_macs_66_weak | join(',') }} {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%} MACs {{ ssh_macs_53_default | join(',') }} @@ -94,7 +94,7 @@ LogLevel VERBOSE # Weak kex is sometimes required if older package versions are used # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} +{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%} {% if ssh_server_weak_kex -%} KexAlgorithms {{ ssh_kex_66_weak | join(',') }} {% else -%}