Fix join-filter, jinja-cases, spelling, whitespace

- the join filter is replaced by '+'
- the if-cases for rhel-based OS'es is simplified
- intendation of complex if-cases

roles/ansible-ssh-hardening/templates/openssh.conf.j2

@@ -47,44 +47,44 @@ StrictHostKeyChecking ask
 # eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
-{% if ssh_client_cbc_required %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-Ciphers {{ciphers_66_weak}}
+{% if ssh_client_cbc_required -%}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    Ciphers {{ciphers_66_weak}}
+    {% else -%}
+    Ciphers {{ciphers_53_weak}}
+    {% endif %}
 {% else -%}
-Ciphers {{ciphers_53_weak}}
-{% endif %}
-{% else %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-Ciphers {{ciphers_66_default}}
-{% else -%}
-Ciphers {{ciphers_53_default}}
-{% endif %}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+        Ciphers {{ciphers_66_default}}
+    {% else -%}
+        Ciphers {{ciphers_53_default}}
+    {% endif %}
 {% endif %}
 
 # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
 # Weak HMAC is sometimes required if older package versions are used
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 #
-{% if ssh_server_weak_hmac %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-MACs {{macs_66_weak}}
-{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
-MACs {{macs_53_default}}
-{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-MACs {{macs_53_default}}
-{% else %}
-MACs {{macs_59_weak}}
-{% endif %}
-{% else %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-MACs {{macs_66_default}}
-{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6')  or ansible_os_family == 'Oracle Linux' -%}
-MACs {{macs_53_default}}
-{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-MACs {{macs_53_default}}
-{% else %}
-MACs {{macs_59_default}}
-{% endif %}
+{% if ssh_server_weak_hmac -%}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+        MACs {{macs_66_weak}}
+    {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
+    MACs {{macs_53_default}}
+    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
+    MACs {{macs_53_default}}
+    {% else -%}
+    MACs {{macs_59_weak}}
+    {% endif %}
+{% else -%}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    MACs {{macs_66_default}}
+    {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
+    MACs {{macs_53_default}}
+    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
+    MACs {{macs_53_default}}
+    {% else -%}
+    MACs {{macs_59_default}}
+    {% endif %}
 {% endif %}
 
 # Alternative setting, if OpenSSH version is below v5.9
@@ -95,19 +95,19 @@ MACs {{macs_59_default}}
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 #
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        {% if ssh_client_weak_kex -%}
-                KexAlgorithms {{kex_66_weak}}
-        {% else -%}
-                KexAlgorithms {{kex_66_default}}
-        {% endif %}
+   {% if ssh_client_weak_kex -%}
+    KexAlgorithms {{kex_66_weak}}
+   {% else -%}
+        KexAlgorithms {{kex_66_default}}
+   {% endif %}
 {% else -%}
-        {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
-                #KexAlgorithms
-        {% elif ssh_client_weak_kex -%}
-                KexAlgorithms {{kex_59_weak}}
-        {% else -%}
-                KexAlgorithms {{kex_59_default}}
-        {% endif %}
+   {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
+           #KexAlgorithms
+   {% elif ssh_client_weak_kex -%}
+           KexAlgorithms {{kex_59_weak}}
+   {% else -%}
+           KexAlgorithms {{kex_59_default}}
+   {% endif %}
 {% endif %}
 
 

roles/ansible-ssh-hardening/templates/opensshd.conf.j2

@@ -55,17 +55,17 @@ LogLevel VERBOSE
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 {% if ssh_server_cbc_required -%}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-Ciphers {{ciphers_66_weak}}
-{% else %}
-Ciphers {{ciphers_53_weak}}
-{% endif %}
-{% else %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-Ciphers {{ciphers_66_default}}
-{% else %}
-Ciphers {{ciphers_53_default}}
-{% endif %}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+        Ciphers {{ciphers_66_weak}}
+    {% else %}
+        Ciphers {{ciphers_53_weak}}
+    {% endif %}
+{% else -%}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+        Ciphers {{ciphers_66_default}}
+    {% else -%}
+        Ciphers {{ciphers_53_default}}
+    {% endif %}
 {% endif %}
 
 # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
@@ -74,25 +74,25 @@ Ciphers {{ciphers_53_default}}
 #
 
 {% if ssh_server_weak_hmac -%}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-MACs {{macs_66_weak}}
-{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
-MACs {{macs_53_default}}
-{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-MACs {{macs_53_default}}
-{% else %}
-MACs {{macs_59_weak}}
-{% endif %}
-{% else %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-MACs {{macs_66_default}}
-{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
-MACs {{macs_53_default}}
-{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-MACs {{macs_53_default}}
-{% else %}
-MACs {{macs_59_default}}
-{% endif %}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+        MACs {{macs_66_weak}}
+    {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
+        MACs {{macs_53_default}}
+    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
+        MACs {{macs_53_default}}
+    {% else -%}
+        MACs {{macs_59_weak}}
+    {% endif %}
+{% else -%}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+        MACs {{macs_66_default}}
+    {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
+        MACs {{macs_53_default}}
+    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
+        MACs {{macs_53_default}}
+    {% else -%}
+        MACs {{macs_59_default}}
+    {% endif %}
 {% endif %}
 
 # Alternative setting, if OpenSSH version is below v5.9
@@ -103,17 +103,17 @@ MACs {{macs_59_default}}
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-        {% if ssh_client_weak_kex -%}
-                KexAlgorithms {{kex_66_weak}}
-	{% else -%}
-                KexAlgorithms {{kex_66_default}}
-        {% endif %}
+    {% if ssh_client_weak_kex -%}
+        KexAlgorithms {{kex_66_weak}}
+    {% else -%}
+        KexAlgorithms {{kex_66_default}}
+    {% endif %}
 {% else -%}
-        {% if ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
-                #KexAlgorithms
-        {% else -%}
-                KexAlgorithms {{kex_59_default}}
-	{% endif %}
+    {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
+        #KexAlgorithms
+    {% else -%}
+        KexAlgorithms {{kex_59_default}}
+    {% endif %}
 {% endif %}
 
 # Authentication
@@ -121,7 +121,7 @@ MACs {{macs_59_default}}
 
 # Secure Login directives.
 UseLogin no
-UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
+UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or ansible_os_family in ['Oracle Linux', 'RedHat'] -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
 
 PermitUserEnvironment no
 LoginGraceTime 30s

roles/ansible-ssh-hardening/vars/main.yml

@@ -3,18 +3,18 @@ ssh_ps59: 'sandbox'
 
 macs_53_default: 'hmac-ripemd160,hmac-sha1'
 macs_59_default: 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
-macs_59_weak: '{{macs_59_default | join(",hmac-sha1")}}'
+macs_59_weak: '{{macs_59_default + ",hmac-sha1"}}'
 macs_66_default: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
-macs_66_weak: '{{macs_66_default | join(",hmac-sha1")}}'
+macs_66_weak: '{{macs_66_default + ",hmac-sha1"}}'
 
 ciphers_53_default: 'aes256-ctr,aes192-ctr,aes128-ctr'
-ciphers_53_weak: '{{ciphers_53_default | join (",aes256-cbc,aes192-cbc,aes128-cbc")}}'
+ciphers_53_weak: '{{ciphers_53_default + ",aes256-cbc,aes192-cbc,aes128-cbc"}}'
 
 ciphers_66_default: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
-ciphers_66_weak: '{{ciphers_66_default | join (",aes256-cbc,aes192-cbc,aes128-cbc")}}'
+ciphers_66_weak: '{{ciphers_66_default + ",aes256-cbc,aes192-cbc,aes128-cbc"}}'
 
 kex_59_default: 'diffie-hellman-group-exchange-sha256'
 kex_59_weak: '{{kex_59_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'
 kex_66_default: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
-kex_66_weak: '{{kex_66_default | join (",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1")}}'
+kex_66_weak: '{{kex_66_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'