Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-14 02:47:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

Short role review. Fixed role when ssh_client_weak_kex == true.

Browse source 
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
This commit is contained in:
Robin Schneider 2015-07-28 21:01:14 +02:00
parent e0b1068e8c
commit a2f4542a48
No known key found for this signature in database
GPG key ID: 489A4D5EC353C98A
2 changed files with 11 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
roles/ansible-ssh-hardening/templates/openssh.conf.j2
View file

@ -101,15 +101,17 @@ MACs {{macs_59_default}}
KexAlgorithms {{kex_66_default}} KexAlgorithms {{kex_66_default}}
{% endif %} {% endif %}
{% else -%} {% else -%}
{% if ansible_os_family == 'RedHat' or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%} {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
#KexAlgorithms #KexAlgorithms
{% elif ssh_client_weak_kex -%}
KexAlgorithms {{kex_59_weak}}
{% else -%} {% else -%}
KexAlgorithms {{kex_59_default}} KexAlgorithms {{kex_59_default}}
{% endif %} {% endif %}
{% endif %} {% endif %}
# Disable agent formwarding, since local agent could be accessed through forwarded connection. # Disable agent forwarding, since local agent could be accessed through forwarded connection.
ForwardAgent no ForwardAgent no
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection. # Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.

2
roles/ansible-ssh-hardening/vars/main.yml
View file

@ -14,7 +14,7 @@ ciphers_66_default: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128
ciphers_66_weak: '{{ciphers_66_default | join (",aes256-cbc,aes192-cbc,aes128-cbc")}}' ciphers_66_weak: '{{ciphers_66_default | join (",aes256-cbc,aes192-cbc,aes128-cbc")}}'
kex_59_default: 'diffie-hellman-group-exchange-sha256' kex_59_default: 'diffie-hellman-group-exchange-sha256'
kex_59_weak: '{{kex_59_default | join (",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1")}}' kex_59_weak: '{{kex_59_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'
kex_66_default: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' kex_66_default: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
kex_66_weak: '{{kex_66_default | join (",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1")}}' kex_66_weak: '{{kex_66_default | join (",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1")}}'