Replace ssh_keys group in Fedora with root (#677)

* Replace ssh_keys group in Fedora with root

In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream.

See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* change host key mode and owner in fedora and rhel9

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add missing host mode for rhel7

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* harden all ssh host keys

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* skip linting rule

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* correct grp for bsd is wheel

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

.config/ansible-lint.yml

@@ -12,3 +12,6 @@ exclude_paths:
 mock_roles:
   - geerlingguy.git
   - nginxinc.nginx
+
+skip_list:
+  - var-naming[no-role-prefix]

roles/ssh_hardening/tasks/crypto_hostkeys.yml

@@ -8,16 +8,6 @@
     force: false
     regenerate: partial_idempotence
 
-# In RHEL and Fedora, the 'ssh_keys' group is the group owner of the host private SSH keys.
-# Since the openssh_keypair module needs to read the key to provide idempotency, we need to set ownership and group based on specific OS vars.
-- name: Change host private key ownership, group and permissions
-  ansible.builtin.file:
-    path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
-    owner: "{{ ssh_host_keys_owner }}"
-    group: "{{ ssh_host_keys_group }}"
-    mode: "0640"
-  when: ansible_facts.os_family == 'RedHat'
-
 - name: Set hostkeys according to openssh-version if openssh >= 5.3
   ansible.builtin.set_fact:
     ssh_host_key_files:
@@ -38,3 +28,11 @@
       - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
       - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key"
   when: sshd_version is version('6.3', '>=')
+
+- name: Change host private key ownership, group and permissions
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ ssh_host_keys_owner }}"
+    group: "{{ ssh_host_keys_group }}"
+    mode: "{{ ssh_host_keys_mode }}"
+  loop: "{{ ssh_host_key_files }}"

roles/ssh_hardening/vars/Amazon_2.yml

@@ -1,11 +1,12 @@
 ---
 sshd_path: /usr/sbin/sshd
-ssh_host_keys_dir: '/etc/ssh'
+ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root
-ssh_host_keys_owner: 'root'
-ssh_host_keys_group: 'ssh_keys'
+ssh_host_keys_owner: root
+ssh_host_keys_group: ssh_keys
+ssh_host_keys_mode: "0600"
 ssh_selinux_packages:
   - policycoreutils-python
   - checkpolicy
@@ -16,7 +17,7 @@ ssh_kerberos_support: true
 # true if SSH has PAM support
 ssh_pam_support: true
 
-sshd_moduli_file: '/etc/ssh/moduli'
+sshd_moduli_file: /etc/ssh/moduli
 
 # disable CRYPTO_POLICY to take settings from sshd configuration
 # see: https://access.redhat.com/solutions/4410591

roles/ssh_hardening/vars/Archlinux.yml

@@ -6,6 +6,7 @@ ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
 ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
 
 # true if SSH support Kerberos
 ssh_kerberos_support: true

roles/ssh_hardening/vars/Debian.yml

@@ -6,6 +6,7 @@ ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
 ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
 ssh_selinux_packages:
   - policycoreutils-python
   - checkpolicy

roles/ssh_hardening/vars/Fedora.yml

@@ -5,7 +5,8 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
-ssh_host_keys_group: ssh_keys
+ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
 ssh_selinux_packages:
   - python3-policycoreutils
   - checkpolicy

roles/ssh_hardening/vars/FreeBSD.yml

@@ -5,7 +5,8 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel
 ssh_host_keys_owner: root
-ssh_host_keys_group: root
+ssh_host_keys_group: wheel
+ssh_host_keys_mode: "0600"
 
 # true if SSH support Kerberos
 ssh_kerberos_support: true

roles/ssh_hardening/vars/OpenBSD.yml

@@ -5,7 +5,8 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel
 ssh_host_keys_owner: root
-ssh_host_keys_group: root
+ssh_host_keys_group: wheel
+ssh_host_keys_mode: "0600"
 
 # true if SSH support Kerberos
 ssh_kerberos_support: false

roles/ssh_hardening/vars/RedHat.yml

@@ -6,6 +6,7 @@ ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
 ssh_host_keys_group: ssh_keys
+ssh_host_keys_mode: "0600"
 ssh_selinux_packages:
   - policycoreutils-python-utils
   - checkpolicy

roles/ssh_hardening/vars/RedHat_7.yml

@@ -6,6 +6,7 @@ ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
 ssh_host_keys_group: ssh_keys
+ssh_host_keys_mode: "0600"
 ssh_selinux_packages:
   - policycoreutils-python
   - checkpolicy

roles/ssh_hardening/vars/RedHat_9.yml

@@ -0,0 +1,24 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: /etc/ssh
+sshd_service_name: sshd
+ssh_owner: root
+ssh_group: root
+ssh_host_keys_owner: root
+ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
+ssh_selinux_packages:
+  - policycoreutils-python-utils
+  - checkpolicy
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: /etc/ssh/moduli
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true

roles/ssh_hardening/vars/SmartOS.yml

@@ -6,6 +6,7 @@ ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
 ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
 
 # true if SSH support Kerberos
 ssh_kerberos_support: true

roles/ssh_hardening/vars/Suse.yml

@@ -6,6 +6,7 @@ ssh_owner: root
 ssh_group: root
 ssh_host_keys_owner: root
 ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
 
 # true if SSH support Kerberos
 ssh_kerberos_support: true