revive old tests with custom ssh settings

Signed-off-by: rndmh3ro <github@gumpri.ch>
2024-11-10 09:14:18 +00:00 · 2021-10-18 21:01:02 +02:00 · 2021-10-18 21:01:02 +02:00 · 940819ab84
commit 940819ab84
parent 21ca7c533a
1 changed files with 104 additions and 0 deletions
--- a/molecule/ssh_hardening/converge.yml
+++ b/molecule/ssh_hardening/converge.yml
@ -1,4 +1,108 @@
 ---
+- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+  hosts: all
+  become: true
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  collections:
+    - devsec.hardening
+  tasks:
+    - include_role:
+        name: ssh_hardening
+  vars:
+    ssh_trusted_user_ca_keys_file: '/etc/ssh/ca.pub'
+    ssh_trusted_user_ca_keys:
+      - '# ssh-rsa ...'
+    ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
+    ssh_authorized_principals:
+      - path: "/etc/ssh/auth_principals/root"
+        principals:
+          - "root"
+        owner: "{{ ssh_owner }}"
+        group: "{{ ssh_group }}"
+        directoryowner: "{{ ssh_owner }}"
+        directorygroup: "{{ ssh_group }}"
+        directorymode: "0700"
+    network_ipv6_enable: true
+    ssh_allow_tcp_forwarding: 'yes'
+    ssh_gateway_ports: true
+    ssh_allow_agent_forwarding: true
+    ssh_server_permit_environment_vars: 'yes'
+    ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
+    ssh_client_alive_interval: 100
+    ssh_client_alive_count: 10
+    ssh_client_password_login: true
+    ssh_challengeresponseauthentication: true
+    ssh_compression: true
+    ssh_allow_users: 'root kitchen vagrant'
+    ssh_allow_groups: 'root kitchen vagrant'
+    ssh_deny_users: 'foo bar'
+    ssh_deny_groups: 'foo bar'
+    ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
+    ssh_max_auth_retries: 10
+    ssh_permit_root_login: "without-password"
+    ssh_permit_tunnel: true
+    ssh_print_motd: true
+    ssh_print_last_log: true
+    ssh_banner: true
+    ssh_server_password_login: true
+    sftp_enabled: true
+    sftp_chroot: true
+    # ssh_server_enabled: false
+    ssh_server_ports:
+      - 22
+      - 222
+    ssh_server_match_address:
+      - address: '192.168.1.1/24'
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
+    ssh_server_match_group:
+      - group: 'root'
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
+    ssh_server_match_user:
+      - user: 'root'
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
+    ssh_server_match_local_port:
+      - port: 222
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
+    ssh_remote_hosts:
+      - names: ['example.com', 'example2.com']
+        options: ['Port 2222', 'ForwardAgent yes']
+      - names: ['example3.com']
+        options: ['StrictHostKeyChecking no']
+    ssh_use_dns: true
+    ssh_use_pam: true
+    ssh_max_startups: '10:30:60'
+    ssh_host_key_algorithms:
+      - ssh-ed25519
+      - rsa-sha2-512
+      - rsa-sha2-256
+      - ssh-rsa
+    ssh_macs:
+      - hmac-sha2-512
+      - hmac-sha2-256
+    ssh_ciphers:
+      - aes256-ctr
+      - aes192-ctr
+      - aes128-ctr
+      - aes256-cbc
+    ssh_kex:
+      - diffie-hellman-group-exchange-sha256
+      - diffie-hellman-group-exchange-sha1
+    ssh_custom_options:
+      - "Include /etc/ssh/ssh_config.d/*"
+    sshd_custom_options:
+      - "AcceptEnv LANG"
+
 - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
  hosts: all
  become: true