finish PR

Sebastian Gumprich · Sebastian Gumprich · commit 6d9f217a7869 · 2017-05-28T14:18:44.000+02:00
diff --git a/README.md b/README.md
@@ -49,6 +49,19 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
+|`ssh_banner` | `false` | `true` to print a banner on login |
+|`ssh_client_hardening` | `true` | `false` to stop harden the client |
+|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
+|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. |
+|`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
+|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
+|`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
+|`ssh_server_hardening` | `true` | `false` to stop harden the server |
+|`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
+|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
+
 
 ## Example Playbook
 
diff --git a/default.yml b/default.yml
@@ -18,15 +18,42 @@
   vars:
     network_ipv6_enable: true
     ssh_allow_root_with_key: true
+    ssh_allow_tcp_forwarding: true
+    ssh_allow_agent_forwarding: true
+    ssh_server_permit_environment_vars: 'PWD'
+    ssh_client_alive_interval: 100
+    ssh_client_alive_count: 10
     ssh_client_password_login: true
     ssh_client_cbc_required: true
-    ssh_server_weak_hmac: true
     ssh_client_weak_kex: true
+    ssh_challengeresponseauthentication: true
+    ssh_compression: 'yes'
+    ssh_allow_users: 'root kitchen vagrant'
+    ssh_allow_groups: 'root kitchen vagrant'
+    ssh_deny_users: 'foo bar'
+    ssh_deny_groups: 'foo bar'
+    ssh_max_auth_retries: 10
+    ssh_permit_tunnel: true
+    ssh_print_motd: true
+    ssh_print_last_log: true
+    ssh_banner: true
+    ssh_server_password_login: true
+    ssh_server_enabled: false
+    ssh_server_weak_hmac: true
+    sftp_enabled: true
+    ssh_server_match_group:
+      - group: 'root'
+        rules: 'AllowTcpForwarding yes'
+    ssh_server_match_user:
+      - user: 'root'
+        rules: 'AllowTcpForwarding yes'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']
       - names: ['example3.com']
         options: ['StrictHostKeyChecking no']
+    ssh_use_dns: true
+    ssh_use_pam: true
 
 - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: localhost
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,10 +2,10 @@
 network_ipv6_enable: false              # sshd + ssh
 
 # true if sshd should be started and enabled
-ssh_server_enabled: false               # sshd
+ssh_server_enabled: true               # sshd
 
-# true if DNS resolutions are needed
-ssh_use_dns: true                       # sshd
+# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
+ssh_use_dns: false                      # sshd
 
 # true or value if compression is needed
 ssh_compression: false                  # sshd
@@ -111,6 +111,8 @@ ssh_server_match_user: false            # sshd
 # list of hashes (containing group and rules) to generate Match Group blocks for.
 ssh_server_match_group: false           # sshd
 
+ssh_server_permit_environment_vars: false
+
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'
@@ -172,6 +174,3 @@ sshd_moduli_minimum: 2048
 
 # disable ChallengeResponseAuthentication
 ssh_challengeresponseauthentication: false
-
-#  look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
-ssh_use_dns: false
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -204,9 +204,7 @@ PermitUserEnvironment no
 # Misc. configuration
 # ===================
 
-{% if ssh_compression %}
-Compression {{ ssh_compression }}
-{% endif %}
+Compression {{ 'yes' if ssh_compression else 'no' }}
 
 UseDNS {{ 'yes' if ssh_use_dns else 'no' }}
 
@@ -222,6 +220,25 @@ Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
 DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
 {% endif %}
 
+# SFTP matching configuration
+# ===========================
+{% if sftp_enabled %}
+# Configuration, in case SFTP is used
+# override default of no subsystems
+# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+Subsystem sftp internal-sftp -l INFO -f LOCAL6
+
+# These lines must appear at the *end* of sshd_config
+Match Group sftponly
+ForceCommand internal-sftp -l INFO -f LOCAL6
+ChrootDirectory {{ sftp_chroot_dir }}
+AllowTcpForwarding no
+AllowAgentForwarding no
+PasswordAuthentication no
+PermitRootLogin no
+X11Forwarding no
+{% endif %}
+
 # Group matching configuration
 # ============================
 
@@ -242,21 +259,3 @@ Match User {{ item.user }}
 {% endfor %}
 {% endif %}
 
-# SFTP matching configuration
-# ===========================
-{% if sftp_enabled %}
-# Configuration, in case SFTP is used
-# override default of no subsystems
-# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
-Subsystem sftp internal-sftp -l INFO -f LOCAL6
-
-# These lines must appear at the *end* of sshd_config
-Match Group sftponly
-ForceCommand internal-sftp -l INFO -f LOCAL6
-ChrootDirectory {{ sftp_chroot_dir }}
-AllowTcpForwarding no
-AllowAgentForwarding no
-PasswordAuthentication no
-PermitRootLogin no
-X11Forwarding no
-{% endif %}
