Ansible Ssh Hardening Versions Save

This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.

4.3.1

6 years ago

4.3.1 (2017-08-14)

Full Changelog

Implemented enhancements:

Remove duplicate ssh_use_dns #130 (MagnusEnger)

Fixed bugs:

ssh_use_dns used twice in defaults/main.yml #129

Closed issues:

role creates duplicate parameter/values after run [#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124

4.3.0

6 years ago

4.3.0 (2017-08-03)

Full Changelog

Implemented enhancements:

Fix ansible.cfg settings #122 (fazlearefin)
Finish 94 #116 (rndmh3ro)

This new version introduces many new variables! See the following list for details:

Name	Default Value	Description
`ssh_banner`	`false`	`true` to print a banner on login
`ssh_client_hardening`	`true`	`false` to stop harden the client
`ssh_client_port`	`'22'`	Specifies the port number to connect on the remote host.
`ssh_compression`	`false`	Specifies whether compression is enabled after the user has authenticated successfully.
`ssh_max_auth_retries`	`2`	Specifies the maximum number of authentication attempts permitted per connection.
`ssh_print_debian_banner`	`false`	`true` to print debian specific banner
`ssh_server_enabled`	`true`	`false` to disable the opensshd server
`ssh_server_hardening`	`true`	`false` to stop harden the server
`ssh_server_match_group`	''	Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
`ssh_server_match_user`	''	Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
`ssh_server_permit_environment_vars`	`false`	`true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd
`ssh_use_dns`	`false`	Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.

Merged pull requests:

Don't overwrite ssh_host_key_files if set manually #125 (oakey-b1)
Add comment filter to {{ansible_managed}} string #121 (fazlearefin)

4.2.0

6 years ago

4.2.0 (2017-06-30)

Full Changelog

Implemented enhancements:

Add support to specify a list of revoked public keys #120 (bachp)
use package instead of yum so the operation works on Fedora #119 (stenwt)

Fixed bugs:

fails in --check mode #111

Merged pull requests:

Do not use shell when not needed + Lint whitespaces #118 (krhubert)

4.1.2

6 years ago

4.1.2 (2017-05-31)

Full Changelog

Implemented enhancements:

added check_mode: no to "get openssh-version" task, so it won't fail … #117 (wschaft)

Fixed bugs:

User login failed after running this module #114
fails in --check mode #111

Closed issues:

Update readme to include baselines #110

4.1.1

6 years ago

4.1.1 (2017-05-18)

Full Changelog

Implemented enhancements:

fix validation error #113 (pwyliu)

Fixed bugs:

fix validation error #113 (pwyliu)

4.1.0

7 years ago

4.1.0 (2017-05-09)

Full Changelog

Implemented enhancements:

Provide option to allow password server login #106
Deprecation warning always_run #82
Added support for UseDNS config switch #109 #108 (ftaeger)

Fixed bugs:

create ssh_config and set permissions to root/644 step repeated #104

Merged pull requests:

Added support for PermitTunnel config switch #112 (fti7)
Adds option to enable password based authentication on the server #107 (colin-nolan)

4.0.0

7 years ago

4.0.0 (2017-04-22)

Full Changelog

Breaking Changes:

remove support for ansible 1.9 #87 (rndmh3ro)
- Ansible 1.9 is not supported anymore
Change the ssh_client_ports list variable into a simple non-list variable named ssh_client_port. #84 (fullyint)
- Before:
```
  {% for port in ssh_client_ports -%}
  Port {{port}}
  {% endfor %}
```
- After:
```
   Port {{ ssh_client_port }} 
```

Fix ssh config to handle custom options per Host #83 (fullyint)

Before:

  # one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!
  ssh_remote_hosts: []           # ssh

After:

  # Hosts with custom options.            # ssh
  # Example:
  # ssh_remote_hosts:
  #   - names: ['example.com', 'example2.com']
  #     options: ['Port 2222', 'ForwardAgent yes']
  #   - names: ['example3.com']
  #     options: ['StrictHostKeyChecking no']
  ssh_remote_hosts: []

Implemented enhancements:

Use different Hostkeys according to installed ssh version #99 (rndmh3ro)
Remove small dh primes #97 (rndmh3ro)
Add Ed25519 SSH host key to match ssh-baseline #96 (techraf)
Add support for FreeBSD OpenSSH server and client #95 (jbenden)
Defaults: Remove DSA from SSH host keys to match ssh-baseline profile #92 (techraf)
make ChallengeResponseAuthentication configurable #85 (rndmh3ro)

Fixed bugs:

SELinux-specific task still runs on SELinux-disabled systems #74
List only one Port in ssh config #84 (fullyint)
Fix ssh config to handle custom options per Host #83 (fullyint)

Closed issues:

Should compression be opt-in? #90
The role fails when conditionally included #86

Merged pull requests:

remove duplicate section #105 (rndmh3ro)
Fix ssh_server_ports and ssh_client_ports documentation bug #80 (kivilahtio)

Other improvements:

Accommodate missing plugins in kitchen_vagrant_block.rb #100 (fullyint)
Replace deprecated always_run with check_mode #93 (jbenden)
use new docker images #91 (rndmh3ro)
use centos 7 in vagrant, limit ssh conns #88 (rndmh3ro)

3.2.0

7 years ago

3.2.0 (2016-10-24)

Full Changelog

Implemented enhancements:

CentOS 7 selinux dependencies #76
Parameterise Banner and DebianBanner as defaults #77 (tsenart)

Fixed bugs:

Some tasks are always run even if they are not needed #78
Selinux issue #75
Running the tests locally #61
SELinux-specific task still runs on SELinux-disabled systems #74

Closed issues:

Applied-Crypto-Hardening project and new cyphers. #28

Merged pull requests:

install selinux dependencies, check for already installed semodule #79 (rndmh3ro)

3.1.0

7 years ago

Full Changelog

Implemented enhancements:

Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 #73 (atomic111)
add docker support #71 (rndmh3ro)
add always_run: true to task. fix #64 #69 (rndmh3ro)
Debian8 #68 (rndmh3ro)
Fixed KexAlgorithms Conditional Statement #66 (cjsheets)
Moves vars to defaults #60 (conorsch)

Closed issues:

semodule ssh_password error on AWS Centos 7 #64
Add Xenial / Ubuntu 16.04 LTS to meta/main.yml #63
ssh\_server\_ports a bit misleading in the vars section? #62
sftp_enabled: false will break Ansible's template module #55
Move cipher/kex/mac vars to defaults #53

Merged pull requests:

Add SCP/SFTP to FAQ #58 (rndmh3ro)

3.0.0

8 years ago

Full Changelog

Implemented enhancements:

Added sftp_enabled, sftp_chroot_dir, and ssh_client_roaming from the … #57 (shirokatze)
add test support for ansible 1.9 and 2.0 #56 (rndmh3ro)
update platforms in meta-file #52 (rndmh3ro)
add webhook for ansible galaxy #51 (rndmh3ro)
Disable experimental client roaming. #49 (rndmh3ro)
use inspec as test framework #48 (chris-rock)
Change categories to tags for upcoming ansible 2.0 #47 (rndmh3ro)
add changelog generator #46 (chris-rock)

Closed issues:

Fail at TASK [remove selinux-policy when Pam is used...] when ssh_use_pam: true #54
Install from ansible galaxy missing files (tasks) #50
should generate new ssh host key files #45