46 KiB
Changelog
9.8.0 (2020-10-15)
Implemented enhancements:
- add SuSE support #328 (schurzi)
- update readme to new layout for vars #326 (rndmh3ro)
- fix litner errors #322 (schurzi)
Fixed bugs:
- Fix PasswordAuthentication for sftponly #327 (danmichaelo)
9.7.0 (2020-08-16)
Implemented enhancements:
Fixed bugs:
- MOTD Enabled prints MOTD twice on Ubuntu #319
Merged pull requests:
9.6.0 (2020-07-28)
Implemented enhancements:
Fixed bugs:
Closed issues:
- Make SSH banner path configurable #315
9.5.0 (2020-07-27)
Implemented enhancements:
Fixed bugs:
- network_ipv6_enable: true not working #311
Closed issues:
- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh*.config #275
Merged pull requests:
9.4.0 (2020-07-21)
Implemented enhancements:
- Add CentOS 8 support for ansible-ssh-hardening #247
- adding specific things for IPv6 support #312 (altf4arnold)
- add support for CentOS8 #309 (schurzi)
- README: New section on server port and idempotency #307 (nununo)
Fixed bugs:
- CBC Ciphers should be disabled by default. #308
Closed issues:
- Idempotency when changing sshd ports #299
- Simplify crypto.yml checks with blocks #256
- Possibility for customising host key algorithms? #243
9.3.0 (2020-07-09)
Implemented enhancements:
- Add support for X11 configuration #297
- add blocks to crypto.yml checks #305 (schurzi)
- fix typo in hardening.yml #304 (schurzi)
- allow customization of X11Forwarding #300 (divialth)
Fixed bugs:
Closed issues:
9.2.0 (2020-06-25)
Implemented enhancements:
- Add RHEL 8 Support #261
- Add option to create 'LocalPort' match blocks #295 (aisbergg)
- Add archlinux support #291 (djesionek)
- Harmonize style #290 (aisbergg)
Merged pull requests:
9.1.1 (2020-06-06)
Implemented enhancements:
Fixed bugs:
- AllowTCPForwarding set to
no
although I havessh\_allow\_tcp\_forwarding: yes
#286 ssh\_allow\_tcp\_forwarding
: use quotes for values #288 (jeanmonet)
9.1.0 (2020-06-02)
Implemented enhancements:
- allow customization of login gracetime and max sessins #287 (chris-rock)
9.0.0 (2020-05-18)
Breaking changes:
Fixed bugs:
- Disable Ubuntu dynamic login MOTD #271
Closed issues:
- Ubuntu disable dynamic MOTD failing #283
8.1.0 (2020-05-09)
Implemented enhancements:
- add changelog and release workflow #282 (rndmh3ro)
- fix: Ansible part of Fedora build #281 (kostasns)
- Add changelog action #280 (rndmh3ro)
- fix: Amazon linux build #279 (kostasns)
- feat: Allow to set custom list of HostKeyAlgorithms #278 (kostasns)
- fix(ansible_facts): replace few remaining facts from 'ansible_' to using 'ansible_facts' dictionary #277 (kostasns)
8.0.0 (2020-04-21)
Implemented enhancements:
- Remove dependency on bash #265
- Possibility to use other value than yes/no for AllowTCPforwarding #255
- Add support for Debian Buster in ansible-ssh-hardening #248
- Some options not configurable via the role #239
- PermitUserEnvironment should not be conflated with AcceptEnv #232
- Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
- Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
- Removing 2fa #269 (dennisse)
- Renaming Ansible variables discovered from systems #268 (PovilasGT)
- Do not use bash to get ssh version #266 (kljensen)
- Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
- Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
- SFTP: set default umask to 0027 #252 (Slamdunk)
- Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
- Feature: Debian 10
Buster
support #249 (jaredledvina) - fix broken packages, extend README with furhter development instructions #246 (szEvEz)
- refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
- RHEL/OL/CentOS 8 support #242 (Furragen)
- Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)
Fixed bugs:
- HostKey comment "# Req 20" breaks key based auth #262
- SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
- Google 2fa authentication problem #170
- vars: remove empty main.yml file #274 (paulfantom)
- Only manage moduli when hardening server #267 (jbronn)
- Remove comment from sshd config HostKey param #263 (abtreece)
7.0.0 (2019-09-15)
Implemented enhancements:
Fixed bugs:
- Unable to connect after applying the role
Ubuntu 18.04, AWS EC2
#229
Closed issues:
- Can't connect to new instance created from hardened image #189
Merged pull requests:
- changed string comparison to version comparison #234 (gobind-singh)
6.2.0 (2019-08-05)
Implemented enhancements:
- added support for
ssh\_server\_match\_address
\#230
#231 (MatthiasLohr)
6.1.3 (2019-06-09)
Implemented enhancements:
- Fix squash_actions deprecation in test playbooks #228 (Normo)
- Fix deprecation warnings in Ansible 2.8 #227 (Normo)
- Make ansible-lint happy #204 (alexclear)
Fixed bugs:
- deprecation warnings in Ansible 2.8 #226
6.1.2 (2019-05-17)
Fixed bugs:
- sshd_custom_options used in ssh_config generation #224
Merged pull requests:
6.1.1 (2019-05-07)
Fixed bugs:
- Missing indent for
ChrootDirectory
inMatch Group sftponly
#221
Merged pull requests:
6.1.0 (2019-05-04)
Implemented enhancements:
- PermitRootLogin yes #190
- Match Group' in configuration but 'user' not in connection test specification #188
- Allow custom values #175
- use selinux fact to check if selinux is used #220 (rndmh3ro)
- Remove eol os and add fedora #218 (rndmh3ro)
- document and move custom variables #217 (rndmh3ro)
- fix: allow other ssh ports using selinux #214 (guilieb)
- Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups #203 (alexclear)
- enable ssh 7.7p1 support #202 (rndmh3ro)
Fixed bugs:
- Using more than one rule in a Group or User Match block? #207
- fix multiple match rules not working #207 #208 (rndmh3ro)
6.0.0 (2018-11-18)
Implemented enhancements:
- Ubuntu 18.04 support #182
- Removed DEPRECATION WARNING for apt, using list instead of with_items #201 (jonaswre)
- Update opensshd.conf.js #196 (ikr0m)
Fixed bugs:
- GSSAPI support broken. Can't be enabled. #192
- Unsupported option "rhostsrsaauthentication" "rsaauthentication" #184
- Weak kex are controlled by wrong variable ? #174
- Can't connect to server by SSH after applying this role #115
Closed issues:
Merged pull requests:
- Support for custom configuration #199 (MatthiasLohr)
- parameterize PermitRootLogin #195 (rndmh3ro)
- set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true' #194 (szEvEz)
- Use ansible version compare module #187 (BentoumiTech)
- add ubuntu 18.04 support #186 (rndmh3ro)
5.0.0 (2018-09-16)
Implemented enhancements:
- Fixing the broken Ansible dependency mechanism #176
- Include new baseline-tests #161
- GlobalKnownHostsFile missing from ssh_config #155
- Options not compatible with OpenSSH server 7.6 #151
- Kitchen travis #180 (rndmh3ro)
- update config of kex, macs, ciphers #179 (rndmh3ro)
- add debian 9 and a comment #178 (rndmh3ro)
- Dependency flag #177 (jcheroske)
- Travis #173 (rndmh3ro)
- OpenBSD Support #171 (jbronn)
- Implement disabling chroot for sftp #166 (towo)
- New tests #163 (rndmh3ro)
- yaml-lint update, refactor tasks #162 (rndmh3ro)
- Handle a few deprecated OpenSSH options #160 (ageis)
- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. #157 (gdelafond)
- Adds sshd config for keyboard-interactive pam device #156 (rcII)
- Use package state 'present' since 'installed' is deprecated #154 (Normo)
- conform to current dev-sec/ssh-baseline #150 (alval5280)
- new parameter: ssh_max_startups #149 (aeschbacher)
- Update syntax to 2.4 #148 (thomasjpfan)
- Amazonlinux-Testing #147 (rndmh3ro)
- Fixed trailing whitespace #146 (zbrojny120)
- Add support for Amazon Linux #145 (woneill)
Fixed bugs:
- ssh_server_weak_kex variable is not used any where #167
- opensshd.conf.j2 template type error #159
- line 56: Bad SSH2 mac spec #135
Closed issues:
- Travis & Debian 9 "Stretch" #158
Merged pull requests:
4.4.0 (2017-12-29)
Implemented enhancements:
- Changes in selinux section to avoid confusion and some inconsistencies #127
- Issue #137: Fix sshd_config's "Match Group sftponly" #138 (kekumu)
- allow configuration of GatewayPorts #136 (pwyliu)
- Added support for AuthorizedKeysFile config setting #132 (hyrsky)
- corrected comments explaining the task's behaviour #131 (martinbydefault)
- Feature/2fa auth #123 (lazzurs)
Fixed bugs:
- ssh_use_dns used twice in defaults/main.yml #129
Closed issues:
- coreos support? #142
- UseLogin is deprecated on CentOS 7 #140
- sftp Match Group settings overriding global sshd_config settings #137
- get openssh-version fails on FreeBSD
with ansible 2.4.0.0
#133
Merged pull requests:
- Remove deprecated UseLogin option #141 (syhe)
- Macs kex ciphers #139 (rndmh3ro)
- force /bin/sh when getting openssh-version #134 (gtz42)
4.3.1 (2017-08-14)
Implemented enhancements:
- Remove duplicate ssh_use_dns #130 (MagnusEnger)
Fixed bugs:
- System completely unresponsive after role execution #126
Closed issues:
- role creates duplicate parameter/values after run #124
4.3.0 (2017-08-03)
Implemented enhancements:
- Fix ansible.cfg settings #122 (fazlearefin)
- Finish 94 #116 (rndmh3ro)
Merged pull requests:
- Don't overwrite ssh_host_key_files if set manually #125 (oakey-b1)
- Add comment filter to {{ansible_managed}} string #121 (fazlearefin)
4.2.0 (2017-06-30)
4.1.3 (2017-06-30)
Implemented enhancements:
- Add support to specify a list of revoked public keys #120 (bachp)
- use package instead of yum so the operation works on Fedora #119 (stenwt)
Fixed bugs:
- fails in --check mode #111
Merged pull requests:
4.1.2 (2017-05-31)
Implemented enhancements:
Fixed bugs:
- User login failed after running this module #114
Closed issues:
- Update readme to include baselines #110
4.1.1 (2017-05-18)
Implemented enhancements:
4.1.0 (2017-05-09)
Implemented enhancements:
- Provide option to allow password server login #106
- Deprecation warning always_run #82
- Added support for UseDNS config switch #109 (ftaeger)
- Added support for UseDNS config switch #108 (ftaeger)
Fixed bugs:
create ssh\_config and set permissions to root/644
step repeated #104
Merged pull requests:
- Added support for PermitTunnel config switch #112 (fti7)
- Adds option to enable password based authentication on the server #107 (colin-nolan)
4.0.0 (2017-04-22)
Implemented enhancements:
- Avoid small primes for DH and allow rebuild of DH primes #89
- Accommodate missing plugins in kitchen_vagrant_block.rb #100 (fullyint)
- Use different Hostkeys according to installed ssh version #99 (rndmh3ro)
- Remove small dh primes #97 (rndmh3ro)
- Add Ed25519 SSH host key to match commit 28b4df3 in ssh-baseline #96 (techraf)
- Add support for FreeBSD OpenSSH server and client #95 (jbenden)
- Replace deprecated always_run with check_mode #93 (jbenden)
- Defaults: Remove DSA from SSH host keys to match ssh-baseline profile #92 (techraf)
- use new docker images #91 (rndmh3ro)
- use centos 7 in vagrant, limit ssh conns #88 (rndmh3ro)
- remove support for ansible 1.9 #87 (rndmh3ro)
- make ChallengeResponseAuthentication configurable #85 (rndmh3ro)
- List only one Port in ssh config #84 (fullyint)
- Fix ssh config to handle custom options per Host #83 (fullyint)
Fixed bugs:
- SELinux-specific task still runs on SELinux-disabled systems #74
Closed issues:
Merged pull requests:
- remove duplicate section #105 (rndmh3ro)
- Fix ssh_server_ports and ssh_client_ports documentation bug #80 (kivilahtio)
3.2.0 (2016-10-24)
Implemented enhancements:
- CentOS 7 selinux dependencies #76
- install selinux dependencies, check for already installed semodule #79 (rndmh3ro)
- Parameterise Banner and DebianBanner as defaults #77 (tsenart)
Fixed bugs:
- Some tasks are always run even if they are not needed #78
- Selinux issue #75
- Running the tests locally #61
Closed issues:
- Applied-Crypto-Hardening project and new cyphers. #28
3.1.0 (2016-08-03)
Implemented enhancements:
- use new ciphers, kex, macs and privilege separation for redhat family 7 or later #72
3.1 (2016-08-03)
Implemented enhancements:
- Add Xenial / Ubuntu 16.04 LTS to meta/main.yml #63
- Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 #73 (atomic111)
- add docker support #71 (rndmh3ro)
- add always_run: true to task. fix #64 #69 (rndmh3ro)
- Debian8 #68 (rndmh3ro)
- Fixed KexAlgorithms Conditional Statement #66 (cjsheets)
- Moves vars to defaults #60 (conorsch)
Fixed bugs:
- semodule ssh_password error on AWS Centos 7 #64
Closed issues:
ssh\_server\_ports
a bit misleading in the vars section? #62- sftp_enabled: false will break Ansible's template module #55
- Move cipher/kex/mac vars to defaults #53
Merged pull requests:
3.0.0 (2016-03-13)
Implemented enhancements:
- Added sftp_enabled, sftp_chroot_dir, and ssh_client_roaming from the … #57 (ghost)
- add test support for ansible 1.9 and 2.0 #56 (rndmh3ro)
- update platforms in meta-file #52 (rndmh3ro)
- add webhook for ansible galaxy #51 (rndmh3ro)
- Disable experimental client roaming. #49 (rndmh3ro)
- use inspec as test framework #48 (chris-rock)
- Change categories to tags for upcoming ansible 2.0 #47 (rndmh3ro)
- add changelog generator #46 (chris-rock)
Closed issues:
Merged pull requests:
2.0.0 (2015-11-28)
Closed issues:
- Fix directory structure. #43
Merged pull requests:
- New dir layout. Fix #43 #44 (rndmh3ro)
- Add var to travis job #42 (rndmh3ro)
- sftp_enable option #41 (fitz123)
1.2.1 (2015-10-16)
Merged pull requests:
1.2.0 (2015-09-28)
1.2 (2015-09-28)
Merged pull requests:
- bugfix. Now option true for PrintLastLog is available again #39 (fitz123)
- Add more travis-tests #38 (rndmh3ro)
- Support for selinux and pam. fix #23 #35 (rndmh3ro)
1.1.0 (2015-09-01)
1.1 (2015-09-01)
Closed issues:
- ssh_ports - individual client/server config #33
- UsePAM should probably default to yes on Red Hat Linux 7 #23
Merged pull requests:
- Change variable for hmac from server to client #37 (rndmh3ro)
- Update kitchen-ansible, remove separate debian install #36 (rndmh3ro)
- Separate ssh client and server ports. Fix #33 #34 (rndmh3ro)
- update common kitchen.yml platforms
ansible
, kitchen_debian.yml platformsansible
#32 (chris-rock) - Make MaxAuthTries configurable #31 (rndmh3ro)
- Change oneliner if-statements to be more readable #30 (rndmh3ro)
- Make ssh client password login configurable. #29 (ypid)
- Fix join-filter, jinja-cases, intendation #27 (rndmh3ro)
- Short role review. Fixed role when ssh_client_weak_kex == true. #26 (ypid)
- Make it configurable to only harden ssh client/server or both
default
. #25 (ypid) - Separate system-vars from editable vars #24 (rndmh3ro)
- Add correct CONTRIB-file #22 (rndmh3ro)
- Add Ansible Galaxy badge #21 (rndmh3ro)
- fix configuration of playbook path #20 (chris-rock)
- Debian install script #19 (rndmh3ro)
1.0.0 (2015-04-30)
Implemented enhancements:
Closed issues:
Merged pull requests:
- add self as author #18 (chris-rock)
- add badges #17 (chris-rock)
- fix meta.yml #16 (chris-rock)
- add more information to changelog #15 (chris-rock)
- Add meta-information for Ansible Galaxy #14 (rndmh3ro)
- Update CHANGELOG.md #13 (rndmh3ro)
- Add handler to restart ssh only if necessary. Fix #6 #11 (rndmh3ro)
- add more descriptions #10 (chris-rock)
- add travis config for ansible #9 (chris-rock)
- update .kitchen.yml to find playbook role in tests #8 (chris-rock)
- Oracle support #5 (rndmh3ro)
- Remove custom Vagrantfile-reference. Fix #2 #4 (rndmh3ro)
- Remove custom Vagrantfile-reference. Fix #2 #3 (rndmh3ro)
- Fix missing gem #1 (chris-rock)
* This Changelog was automatically generated by github_changelog_generator