Merge pull request #60 from conorsch/move-vars-to-defaults

Moves vars to defaults

Author: Sebastian Gumprich

defaults/main.yml

@@ -77,3 +77,60 @@ sftp_chroot_dir: /home/%u
 
 # enable experimental client roaming
 ssh_client_roaming: false
+
+
+ssh_ps53: 'yes'
+ssh_ps59: 'sandbox'
+
+ssh_macs_53_default:
+  - hmac-ripemd160
+  - hmac-sha1
+
+ssh_macs_59_default:
+  - hmac-sha2-512
+  - hmac-sha2-256
+  - hmac-ripemd160
+
+ssh_macs_59_weak: "{{ ssh_macs_59_default + ['hmac-sha1'] }}"
+
+ssh_macs_66_default:
+  - hmac-sha2-512-etm@openssh.com
+  - hmac-sha2-256-etm@openssh.com
+  - hmac-ripemd160-etm@openssh.com
+  - umac-128-etm@openssh.com
+  - hmac-sha2-512
+  - hmac-sha2-256
+  - hmac-ripemd160
+
+ssh_macs_66_weak: "{{ ssh_macs_66_default + ['hmac-sha1'] }}"
+
+ssh_ciphers_53_default:
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+ssh_ciphers_53_weak: "{{ ssh_ciphers_53_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
+
+ssh_ciphers_66_default:
+  - chacha20-poly1305@openssh.com
+  - aes256-gcm@openssh.com
+  - aes128-gcm@openssh.com
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+ssh_ciphers_66_weak: "{{ ssh_ciphers_66_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
+
+ssh_kex_59_default:
+  - diffie-hellman-group-exchange-sha256
+
+ssh_kex_59_weak: "{{ ssh_kex_59_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
+
+ssh_kex_66_default:
+  - curve25519-sha256@libssh.org
+  - diffie-hellman-group-exchange-sha256
+
+ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
+
+# directory where to store ssh_password policy
+ssh_custom_selinux_dir: '/etc/selinux/local-policies'

tasks/main.yml

@@ -24,27 +24,27 @@
   when: ssh_client_hardening
 
 - name: Create selinux custom policy drop folder
-  file: path={{ custom_selinux_dir }} state=directory owner=root group=root mode=0750
+  file: path={{ ssh_custom_selinux_dir }} state=directory owner=root group=root mode=0750
   when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
 
 # The following tasks only get executed when selinux is in state enforcing and UsePam is "no".
 # See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
 
 - name: Distributing custom selinux policies
-  copy: src='ssh_password' dest='{{ custom_selinux_dir }}'
+  copy: src='ssh_password' dest='{{ ssh_custom_selinux_dir }}'
   register: custom_policies_output
   when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
 
 - name: check and compile policy
-  shell: checkmodule -M -m -o {{ custom_selinux_dir }}/ssh_password.mod {{ custom_selinux_dir }}/ssh_password
+  shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
   when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
 
 - name: create selinux policy module package
-  shell: semodule_package -o {{ custom_selinux_dir }}/ssh_password.pp  -m {{ custom_selinux_dir }}/ssh_password.mod
+  shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
   when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
 
 - name: install selinux policy
-  shell: semodule -i {{ custom_selinux_dir }}/ssh_password.pp
+  shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
   when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
 
 - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)

templates/openssh.conf.j2

@@ -48,15 +48,15 @@ StrictHostKeyChecking ask
 #
 {% if ssh_client_cbc_required -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-    Ciphers {{ciphers_66_weak}}
+    Ciphers {{ ssh_ciphers_66_weak | join(',') }}
     {% else -%}
-    Ciphers {{ciphers_53_weak}}
+    Ciphers {{ ssh_ciphers_53_weak | join(',') }}
     {% endif %}
 {% else -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        Ciphers {{ciphers_66_default}}
+        Ciphers {{ ssh_ciphers_66_default | join(',') }}
     {% else -%}
-        Ciphers {{ciphers_53_default}}
+        Ciphers {{ ssh_ciphers_53_default | join(',') }}
     {% endif %}
 {% endif %}
 
@@ -66,23 +66,23 @@ StrictHostKeyChecking ask
 #
 {% if ssh_client_weak_hmac -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        MACs {{macs_66_weak}}
+        MACs {{ ssh_macs_66_weak | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
-    MACs {{macs_53_default}}
+    MACs {{ ssh_macs_53_default | join(',') }}
     {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-    MACs {{macs_53_default}}
+    MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
-    MACs {{macs_59_weak}}
+    MACs {{ ssh_macs_59_weak | join(',') }}
     {% endif %}
 {% else -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-    MACs {{macs_66_default}}
+    MACs {{ ssh_macs_66_default | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
-    MACs {{macs_53_default}}
+    MACs {{ ssh_macs_53_default | join(',') }}
     {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-    MACs {{macs_53_default}}
+    MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
-    MACs {{macs_59_default}}
+    MACs {{ ssh_macs_59_default | join(',') }}
     {% endif %}
 {% endif %}
 
@@ -95,17 +95,17 @@ StrictHostKeyChecking ask
 #
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
    {% if ssh_client_weak_kex -%}
-    KexAlgorithms {{kex_66_weak}}
+    KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
    {% else -%}
-        KexAlgorithms {{kex_66_default}}
+        KexAlgorithms {{ ssh_kex_66_default | join(',') }}
    {% endif %}
 {% else -%}
    {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
            #KexAlgorithms
    {% elif ssh_client_weak_kex -%}
-           KexAlgorithms {{kex_59_weak}}
+           KexAlgorithms {{ ssh_kex_59_weak | join(',') }}
    {% else -%}
-           KexAlgorithms {{kex_59_default}}
+           KexAlgorithms {{ ssh_kex_59_default | join(',') }}
    {% endif %}
 {% endif %}
 

templates/opensshd.conf.j2

@@ -52,15 +52,15 @@ LogLevel VERBOSE
 #
 {% if ssh_server_cbc_required -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        Ciphers {{ciphers_66_weak}}
+        Ciphers {{ ssh_ciphers_66_weak | join(',') }}
     {% else %}
-        Ciphers {{ciphers_53_weak}}
+        Ciphers {{ ssh_ciphers_53_weak | join(',') }}
     {% endif %}
 {% else -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        Ciphers {{ciphers_66_default}}
+        Ciphers {{ ssh_ciphers_66_default | join(',') }}
     {% else -%}
-        Ciphers {{ciphers_53_default}}
+        Ciphers {{ ssh_ciphers_53_default | join(',') }}
     {% endif %}
 {% endif %}
 
@@ -71,23 +71,23 @@ LogLevel VERBOSE
 
 {% if ssh_server_weak_hmac -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        MACs {{macs_66_weak}}
+        MACs {{ ssh_macs_66_weak | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
-        MACs {{macs_53_default}}
+        MACs {{ ssh_macs_53_default | join(',') }}
     {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-        MACs {{macs_53_default}}
+        MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
-        MACs {{macs_59_weak}}
+        MACs {{ ssh_macs_59_weak | join(',') }}
     {% endif %}
 {% else -%}
     {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        MACs {{macs_66_default}}
+        MACs {{ ssh_macs_66_default | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
-        MACs {{macs_53_default}}
+        MACs {{ ssh_macs_53_default | join(',') }}
     {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-        MACs {{macs_53_default}}
+        MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
-        MACs {{macs_59_default}}
+        MACs {{ ssh_macs_59_default | join(',') }}
     {% endif %}
 {% endif %}
 
@@ -100,15 +100,15 @@ LogLevel VERBOSE
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
     {% if ssh_client_weak_kex -%}
-        KexAlgorithms {{kex_66_weak}}
+        KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
     {% else -%}
-        KexAlgorithms {{kex_66_default}}
+        KexAlgorithms {{ ssh_kex_66_default | join(',') }}
     {% endif %}
 {% else -%}
     {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
         #KexAlgorithms
     {% else -%}
-        KexAlgorithms {{kex_59_default}}
+        KexAlgorithms {{ ssh_kex_59_default | join(',') }}
     {% endif %}
 {% endif %}
 

vars/main.yml

@@ -1,22 +0,0 @@
-ssh_ps53: 'yes'
-ssh_ps59: 'sandbox'
-
-macs_53_default: 'hmac-ripemd160,hmac-sha1'
-macs_59_default: 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
-macs_59_weak: '{{macs_59_default + ",hmac-sha1"}}'
-macs_66_default: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
-macs_66_weak: '{{macs_66_default + ",hmac-sha1"}}'
-
-ciphers_53_default: 'aes256-ctr,aes192-ctr,aes128-ctr'
-ciphers_53_weak: '{{ciphers_53_default + ",aes256-cbc,aes192-cbc,aes128-cbc"}}'
-
-ciphers_66_default: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
-ciphers_66_weak: '{{ciphers_66_default + ",aes256-cbc,aes192-cbc,aes128-cbc"}}'
-
-kex_59_default: 'diffie-hellman-group-exchange-sha256'
-kex_59_weak: '{{kex_59_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'
-kex_66_default: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
-kex_66_weak: '{{kex_66_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'
-
-# directory where to store ssh_password policy
-custom_selinux_dir: '/etc/selinux/local-policies'