This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.
ssh_google_auth
and ssh_pam_device
are gone and replaced by sshd_authenticationmethods
(https://github.com/dev-sec/ansible-ssh-hardening/pull/245/)ssh_allow_tcp_forwarding
is no longer a bool but a string because it accepts other values as yes/no (https://github.com/dev-sec/ansible-ssh-hardening/pull/257/)Implemented enhancements:
Fixed bugs:
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
Implemented enhancements:
ssh\_server\_match\_address
(#230) #231 (MatthiasLohr)Closed issues:
Implemented enhancements:
Fixed bugs:
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
Removed the following variables:
Name | Default Value | Description |
---|---|---|
ssh_client_cbc_required |
false | true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. |
ssh_server_cbc_required |
false | true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. |
ssh_client_weak_hmac |
false | true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. |
ssh_server_weak_hmac |
false | true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. |
ssh_client_weak_kex |
false | true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. |
ssh_server_weak_kex |
false | true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. |
And replaced them with:
Name | Default Value | Description |
---|---|---|
ssh_macs |
[] | Change this list to overwrite macs. Defaults found in defaults/main.yml |
ssh_kex |
[] | Change this list to overwrite kexs. Defaults found in defaults/main.yml |
ssh_ciphers |
[] | Change this list to overwrite ciphers. Defaults found in defaults/main.yml |
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests: