Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Make it configurable to only harden ssh client/server or both (default).

Browse source
This commit is contained in:
Robin Schneider 2015-07-28 20:42:14 +02:00
parent e0b1068e8c
commit a8f991bc07
No known key found for this signature in database
GPG key ID: 489A4D5EC353C98A
2 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/ansible-ssh-hardening/defaults/main.yml
View file

@ -1,6 +1,10 @@
# true if IPv6 is needed
network_ipv6_enable: false # sshd + ssh
# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd
# true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
ssh_client_cbc_required: false # ssh
ssh_server_cbc_required: false # sshd

2
roles/ansible-ssh-hardening/tasks/main.yml
View file

@ -5,6 +5,8 @@
- name: create sshd_config and set permissions to root/600
template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner=root group=root validate="/usr/sbin/sshd -T -f %s"
notify: restart sshd
when: ssh_server_hardening
- name: create ssh_config and set permissions to root/644
template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner=root group=root
when: ssh_client_hardening