Merge pull request #116 from dev-sec/finish_94

rndmh3ro · web-flow · commit bfafa96e0e33 · 2017-08-03T09:06:59.000+02:00
Finish 94
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -9,10 +9,6 @@ driver:
 transport:
   max_ssh_sessions: 5
 
-transport:
-  max_ssh_sessions: 5
-
-
 provisioner:
   name: ansible_playbook
   hosts: all
@@ -26,6 +22,7 @@ provisioner:
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
+  ansible_diff: true
   ansible_extra_flags:
     - "--skip-tags=sysctl"
 
diff --git a/README.md b/README.md
@@ -49,6 +49,18 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
+|`ssh_banner` | `false` | `true` to print a banner on login |
+|`ssh_client_hardening` | `true` | `false` to stop harden the client |
+|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
+|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. |
+|`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
+|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
+|`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
+|`ssh_server_hardening` | `true` | `false` to stop harden the server |
+|`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
+|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 
 ## Example Playbook
diff --git a/default.yml b/default.yml
@@ -18,15 +18,42 @@
   vars:
     network_ipv6_enable: true
     ssh_allow_root_with_key: true
+    ssh_allow_tcp_forwarding: true
+    ssh_allow_agent_forwarding: true
+    ssh_server_permit_environment_vars: 'PWD'
+    ssh_client_alive_interval: 100
+    ssh_client_alive_count: 10
     ssh_client_password_login: true
     ssh_client_cbc_required: true
-    ssh_server_weak_hmac: true
     ssh_client_weak_kex: true
+    ssh_challengeresponseauthentication: true
+    ssh_compression: true
+    ssh_allow_users: 'root kitchen vagrant'
+    ssh_allow_groups: 'root kitchen vagrant'
+    ssh_deny_users: 'foo bar'
+    ssh_deny_groups: 'foo bar'
+    ssh_max_auth_retries: 10
+    ssh_permit_tunnel: true
+    ssh_print_motd: true
+    ssh_print_last_log: true
+    ssh_banner: true
+    ssh_server_password_login: true
+    ssh_server_enabled: false
+    ssh_server_weak_hmac: true
+    sftp_enabled: true
+    ssh_server_match_group:
+      - group: 'root'
+        rules: 'AllowTcpForwarding yes'
+    ssh_server_match_user:
+      - user: 'root'
+        rules: 'AllowTcpForwarding yes'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']
       - names: ['example3.com']
         options: ['StrictHostKeyChecking no']
+    ssh_use_dns: true
+    ssh_use_pam: true
 
 - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: localhost
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,15 @@
 # true if IPv6 is needed
 network_ipv6_enable: false              # sshd + ssh
 
+# true if sshd should be started and enabled
+ssh_server_enabled: true               # sshd
+
+# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
+ssh_use_dns: false                      # sshd
+
+# true or value if compression is needed
+ssh_compression: false                  # sshd
+
 # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
@@ -96,6 +105,14 @@ sftp_chroot_dir: /home/%u
 # enable experimental client roaming
 ssh_client_roaming: false
 
+# list of hashes (containing user and rules) to generate Match User blocks for.
+ssh_server_match_user: false            # sshd
+
+# list of hashes (containing group and rules) to generate Match Group blocks for.
+ssh_server_match_group: false           # sshd
+
+ssh_server_permit_environment_vars: false
+
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,2 +1,3 @@
 - name: restart sshd
   service: name={{ sshd_service_name }} state=restarted
+  when: "(ssh_server_enabled|bool)"
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -7,15 +7,15 @@
 # ===================
 
 # Either disable or only allowssh root login via certificates.
-PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
+PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }}
 
 # Define which port sshd should listen to. Default to `22`.
 {% for port in ssh_server_ports -%}
 Port {{port}}
 {% endfor %}
 
 # Address family should always be limited to the active network configuration.
-AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
+AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }}
 
 # Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
 {% for address in ssh_listen_to -%}
@@ -113,7 +113,6 @@ LogLevel VERBOSE
 UseLogin no
 UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
 
-PermitUserEnvironment no
 LoginGraceTime 30s
 MaxAuthTries {{ssh_max_auth_retries}}
 MaxSessions 10
@@ -128,12 +127,12 @@ IgnoreUserKnownHosts yes
 HostbasedAuthentication no
 
 # Enable PAM to enforce system wide rules
-UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
+UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
+PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
 PermitEmptyPasswords no
-ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}
+ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }}
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no
@@ -173,15 +172,15 @@ ClientAliveInterval {{ssh_client_alive_interval}}
 ClientAliveCountMax {{ssh_client_alive_count}}
 
 # Disable tunneling
-PermitTunnel {{ 'yes' if ssh_permit_tunnel else 'no' }}
+PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access
-AllowTcpForwarding {{ 'yes' if ssh_allow_tcp_forwarding else 'no' }}
+AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }}
 
 # Disable agent formwarding, since local agent could be accessed through forwarded connection.
 # no real advantage without denied shell access
-AllowAgentForwarding {{ 'yes' if ssh_allow_agent_forwarding else 'no' }}
+AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
 
 # Do not allow remote port forwardings to bind to non-loopback addresses.
 GatewayPorts no
@@ -190,34 +189,50 @@ GatewayPorts no
 X11Forwarding no
 X11UseLocalhost yes
 
-# Look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
-UseDNS {{ 'yes' if ssh_use_dns else 'no' }}
+# User environment configuration
+# ==============================
+
+{% if ssh_server_permit_environment_vars %}
+PermitUserEnvironment yes
+{% for item in ssh_server_permit_environment_vars %}
+AcceptEnv {{ item }}
+{% endfor %}
+{% else %}
+PermitUserEnvironment no
+{% endif %}
 
 # Misc. configuration
 # ===================
 
-PrintMotd {{ 'yes' if ssh_print_motd else 'no' }}
+Compression {{ 'yes' if (ssh_compression|bool) else 'no' }}
+
+UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }}
+
+PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
 
 {% if ansible_os_family != 'FreeBSD' %}
-PrintLastLog {{ 'yes' if ssh_print_last_log else 'no' }}
+PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
 {% endif %}
 
-Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
+Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}
 
 {% if ansible_os_family == 'Debian' %}
-DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
+DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
 {% endif %}
 
 # Reject keys that are explicitly blacklisted
 RevokedKeys /etc/ssh/revoked_keys
 
 {% if sftp_enabled %}
+# SFTP matching configuration
+# ===========================
 # Configuration, in case SFTP is used
-## override default of no subsystems
-## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+# override default of no subsystems
+# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+
 Subsystem sftp internal-sftp -l INFO -f LOCAL6
-#
-## These lines must appear at the *end* of sshd_config
+
+# These lines must appear at the *end* of sshd_config
 Match Group sftponly
 ForceCommand internal-sftp -l INFO -f LOCAL6
 ChrootDirectory {{ sftp_chroot_dir }}
@@ -227,3 +242,24 @@ PasswordAuthentication no
 PermitRootLogin no
 X11Forwarding no
 {% endif %}
+
+{% if ssh_server_match_group %}
+# Group matching configuration
+# ============================
+
+{% for item in ssh_server_match_group %}
+Match Group {{ item.group }}
+    {{ item.rules | indent(4) }}
+{% endfor %}
+{% endif %}
+
+
+{% if ssh_server_match_user %}
+# User matching configuration
+# ===========================
+
+{% for item in ssh_server_match_user %}
+Match User {{ item.user }}
+    {{ item.rules | indent(4) }}
+{% endfor %}
+{% endif %}

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`- name: restart sshd`
`2`	`2`	`service: name={{ sshd_service_name }} state=restarted`
	`3`	`+ when: "(ssh_server_enabled\|bool)"`