Ansible Ssh Hardening Versions Save

This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.

8.0.0

3 years ago

8.0.0 (2020-04-21)

Full Changelog

Breaking Changes:

We removed configuring 2fa, as it does not belong into this role (https://github.com/dev-sec/ansible-ssh-hardening/pull/269)
ssh_google_auth and ssh_pam_device are gone and replaced by sshd_authenticationmethods (https://github.com/dev-sec/ansible-ssh-hardening/pull/245/)
ssh_allow_tcp_forwarding is no longer a bool but a string because it accepts other values as yes/no (https://github.com/dev-sec/ansible-ssh-hardening/pull/257/)

Implemented enhancements:

Remove dependency on bash #265
Possibility to use other value than yes/no for AllowTCPforwarding #255
Add support for Debian Buster in ansible-ssh-hardening #248
Some options not configurable via the role #239
PermitUserEnvironment should not be conflated with AcceptEnv #232
Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
Removing 2fa #269 (dennisse)
Renaming Ansible variables discovered from systems #268 (PovilasGT)
Do not use bash to get ssh version #266 (kljensen)
Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
SFTP: set default umask to 0027 #252 (Slamdunk)
Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
Feature: Debian 10 (Buster) support #249 (jaredledvina)
fix broken packages, extend README with furhter development instructions #246 (szEvEz)
refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
RHEL/OL/CentOS 8 support #242 (Furragen)
Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)
set UsePAM to yes by default #233 (rndmh3ro)

Fixed bugs:

HostKey comment "# Req 20" breaks key based auth #262
SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
Google 2fa authentication problem #170
vars: remove empty main.yml file #274 (paulfantom)
Only manage moduli when hardening server #267 (jbronn)
Remove comment from sshd config HostKey param #263 (abtreece)

7.0.0

4 years ago

7.0.0 (2019-09-17)

Full Changelog

Implemented enhancements:

Add new option ssh_server_match_address #230
set UsePAM to yes by default #233 (rndmh3ro)

Fixed bugs:

Unable to connect after applying the role (Ubuntu 18.04, AWS EC2) #229

Closed issues:

Can't connect to new instance created from hardened image #189

Merged pull requests:

changed string comparison to version comparison #234 (gobind-singh)

6.2.0

4 years ago

6.2.0 (2019-08-07)

Full Changelog

Implemented enhancements:

added support for ssh\_server\_match\_address (#230) #231 (MatthiasLohr)

Closed issues:

Add new option ssh_server_match_address #230

6.1.3

4 years ago

6.1.3 (2019-06-09)

Full Changelog

This release is a bugfix-release that fixes deprecation warnings in Ansible 2.8.

Implemented enhancements:

Fix squash_actions deprecation in test playbooks #228 (Normo)
Fix deprecation warnings in Ansible 2.8 #227 (Normo)

Fixed bugs:

deprecation warnings in Ansible 2.8 #226

6.1.2

4 years ago

6.1.2 (2019-05-17)

Full Changelog

Fixed bugs:

sshd_custom_options used in ssh_config generation #224

Merged pull requests:

use correct variable ssh_custom_options in ssh_config template #225 (rndmh3ro)

6.1.1

4 years ago

6.1.1 (2019-05-07)

Full Changelog

Fixed bugs:

Missing indent for ChrootDirectory in Match Group sftponly #221

Merged pull requests:

fix indentation for matches #222 (rndmh3ro)

6.1.0

4 years ago

6.1.0 (2019-05-04)

Full Changelog

Implemented enhancements:

PermitRootLogin yes #190
Match Group' in configuration but 'user' not in connection test specification #188
Allow custom values #175
use selinux fact to check if selinux is used #220 (rndmh3ro)
Remove eol os and add fedora #218 (rndmh3ro)
document and move custom variables #217 (rndmh3ro)
fix: allow other ssh ports using selinux #214 (guilieb)
Make ansible-lint happy #204 (alexclear)
Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups #203 (alexclear)
enable ssh 7.7p1 support #202 (rndmh3ro)
Removed DEPRECATION WARNING for apt, using list instead of with_items #201 (jonaswre)

Fixed bugs:

Using more than one rule in a Group or User Match block? #207
fix multiple match rules not working #207 #208 (rndmh3ro)

6.0.0

5 years ago

6.0.0 (2018-11-18)

Full Changelog

Implemented enhancements:

Ubuntu 18.04 support #182
Update opensshd.conf.js #196 (ikr0m)

Fixed bugs:

GSSAPI support broken. Can't be enabled. #192
Unsupported option "rhostsrsaauthentication" "rsaauthentication" #184
Weak kex are controlled by wrong variable ? #174
Can't connect to server by SSH after applying this role #115

Closed issues:

Support StreamLocalBindUnlink #197
Add molecule testing #183

Merged pull requests:

Support for custom configuration #199 (MatthiasLohr)
parameterize PermitRootLogin #195 (rndmh3ro)
set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true' #194 (szEvEz)
Use ansible version compare module #187 (Neophy7e)
add ubuntu 18.04 support #186 (rndmh3ro)

5.0.0

5 years ago

5.0.0 (2018-09-16)

Full Changelog

Breaking Changes

Removed the following variables:

Name	Default Value	Description
`ssh_client_cbc_required`	false	true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
`ssh_server_cbc_required`	false	true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
`ssh_client_weak_hmac`	false	true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
`ssh_server_weak_hmac`	false	true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
`ssh_client_weak_kex`	false	true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
`ssh_server_weak_kex`	false	true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.

And replaced them with:

Name	Default Value	Description
`ssh_macs`	[]	Change this list to overwrite macs. Defaults found in `defaults/main.yml`
`ssh_kex`	[]	Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
`ssh_ciphers`	[]	Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`

Implemented enhancements:

Fixing the broken Ansible dependency mechanism #176
Include new baseline-tests #161
GlobalKnownHostsFile missing from ssh_config #155
Options not compatible with OpenSSH server 7.6 #151
Kitchen travis #180 (rndmh3ro)
update config of kex, macs, ciphers #179 (rndmh3ro)
add debian 9 and a comment #178 (rndmh3ro)
Dependency flag #177 (jcheroske)
Travis #173 (rndmh3ro)
OpenBSD Support #171 (jbronn)
Implement disabling chroot for sftp #166 (towo)
New tests #163 (rndmh3ro)
yaml-lint update, refactor tasks #162 (rndmh3ro)
Handle a few deprecated OpenSSH options #160 (ageis)
Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. #157 (gdelafond)
Adds sshd config for keyboard-interactive pam device #156 (rcII)
Use package state 'present' since 'installed' is deprecated #154 (Normo)
conform to current dev-sec/ssh-baseline #150 (alval5280)
new parameter: ssh_max_startups #149 (aeschbacher)
Update syntax to 2.4 #148 (thomasjpfan)
Amazonlinux-Testing #147 (rndmh3ro)
Fixed trailing whitespace #146 (zbrojny120)
Add support for Amazon Linux #145 (woneill)

Fixed bugs:

ssh_server_weak_kex variable is not used any where #167
opensshd.conf.j2 template type error #159
line 56: Bad SSH2 mac spec #135

Closed issues:

Travis & Debian 9 "Stretch" #158

Merged pull requests:

remove oracle7 from travis tests for the time being #181 (rndmh3ro)

4.4.0

6 years ago

4.4.0 (2017-12-29)

Full Changelog

Implemented enhancements:

Changes in selinux section to avoid confusion and some inconsistencies #127
Issue #137: Fix sshd_config's "Match Group sftponly" #138 (kekumu)
allow configuration of GatewayPorts #136 (pwyliu)
Added support for AuthorizedKeysFile config setting #132 (hyrsky)
corrected comments explaining the task's behaviour #131 (martinbydefault)
Add Two-Factor Authentication #123 (lazzurs)

Fixed bugs:

ssh_use_dns used twice in defaults/main.yml #129
line 56: Bad SSH2 mac spec #135

Closed issues:

coreos support? #142
UseLogin is deprecated on CentOS 7 #140
sftp Match Group settings overriding global sshd_config settings #137
get openssh-version fails on FreeBSD (with ansible 2.4.0.0) #133

Merged pull requests:

Remove deprecated UseLogin option #141 (syhe)
Macs kex ciphers #139 (rndmh3ro)
force /bin/sh when getting openssh-version #134 (gtz42)