ansible-collection-hardening/roles/ssh_hardening/CHANGELOG.md
2020-11-08 10:20:25 +00:00

46 KiB

Changelog

9.8.0 (2020-10-15)

Full Changelog

Implemented enhancements:

Fixed bugs:

9.7.0 (2020-08-16)

Full Changelog

Implemented enhancements:

  • add separate option for controlling motd via pam #320 (schurzi)

Fixed bugs:

  • MOTD Enabled prints MOTD twice on Ubuntu #319

Merged pull requests:

9.6.0 (2020-07-28)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • fix local kitchen tests #318 (schurzi)
  • fix sftp_umask; store as literal not octal #317 (aqw)

Closed issues:

  • Make SSH banner path configurable #315

9.5.0 (2020-07-27)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • network_ipv6_enable: true not working #311

Closed issues:

  • RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh*.config #275

Merged pull requests:

9.4.0 (2020-07-21)

Full Changelog

Implemented enhancements:

  • Add CentOS 8 support for ansible-ssh-hardening #247
  • adding specific things for IPv6 support #312 (altf4arnold)
  • add support for CentOS8 #309 (schurzi)
  • README: New section on server port and idempotency #307 (nununo)

Fixed bugs:

  • CBC Ciphers should be disabled by default. #308

Closed issues:

  • Idempotency when changing sshd ports #299
  • Simplify crypto.yml checks with blocks #256
  • Possibility for customising host key algorithms? #243

9.3.0 (2020-07-09)

Full Changelog

Implemented enhancements:

Fixed bugs:

Closed issues:

  • Typo in hardening.yml #303
  • Task create sshd_config and set permissions fails #302

9.2.0 (2020-06-25)

Full Changelog

Implemented enhancements:

Merged pull requests:

9.1.1 (2020-06-06)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • AllowTCPForwarding set to no although I have ssh\_allow\_tcp\_forwarding: yes #286
  • ssh\_allow\_tcp\_forwarding: use quotes for values #288 (jeanmonet)

9.1.0 (2020-06-02)

Full Changelog

Implemented enhancements:

  • allow customization of login gracetime and max sessins #287 (chris-rock)

9.0.0 (2020-05-18)

Full Changelog

Breaking changes:

  • make ssh client-side compression configurable #284 (aqw)

Fixed bugs:

  • Disable Ubuntu dynamic login MOTD #271

Closed issues:

  • Ubuntu disable dynamic MOTD failing #283

8.1.0 (2020-05-09)

Full Changelog

Implemented enhancements:

  • add changelog and release workflow #282 (rndmh3ro)
  • fix: Ansible part of Fedora build #281 (kostasns)
  • Add changelog action #280 (rndmh3ro)
  • fix: Amazon linux build #279 (kostasns)
  • feat: Allow to set custom list of HostKeyAlgorithms #278 (kostasns)
  • fix(ansible_facts): replace few remaining facts from 'ansible_' to using 'ansible_facts' dictionary #277 (kostasns)

8.0.0 (2020-04-21)

Full Changelog

Implemented enhancements:

  • Remove dependency on bash #265
  • Possibility to use other value than yes/no for AllowTCPforwarding #255
  • Add support for Debian Buster in ansible-ssh-hardening #248
  • Some options not configurable via the role #239
  • PermitUserEnvironment should not be conflated with AcceptEnv #232
  • Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
  • Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
  • Removing 2fa #269 (dennisse)
  • Renaming Ansible variables discovered from systems #268 (PovilasGT)
  • Do not use bash to get ssh version #266 (kljensen)
  • Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
  • Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
  • SFTP: set default umask to 0027 #252 (Slamdunk)
  • Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
  • Feature: Debian 10 Buster support #249 (jaredledvina)
  • fix broken packages, extend README with furhter development instructions #246 (szEvEz)
  • refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
  • RHEL/OL/CentOS 8 support #242 (Furragen)
  • Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)

Fixed bugs:

  • HostKey comment "# Req 20" breaks key based auth #262
  • SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
  • Google 2fa authentication problem #170
  • vars: remove empty main.yml file #274 (paulfantom)
  • Only manage moduli when hardening server #267 (jbronn)
  • Remove comment from sshd config HostKey param #263 (abtreece)

7.0.0 (2019-09-15)

Full Changelog

Implemented enhancements:

  • Add new option ssh_server_match_address #230
  • set UsePAM to yes by default #233 (rndmh3ro)

Fixed bugs:

  • Unable to connect after applying the role Ubuntu 18.04, AWS EC2 #229

Closed issues:

  • Can't connect to new instance created from hardened image #189

Merged pull requests:

6.2.0 (2019-08-05)

Full Changelog

Implemented enhancements:

6.1.3 (2019-06-09)

Full Changelog

Implemented enhancements:

  • Fix squash_actions deprecation in test playbooks #228 (Normo)
  • Fix deprecation warnings in Ansible 2.8 #227 (Normo)
  • Make ansible-lint happy #204 (alexclear)

Fixed bugs:

  • deprecation warnings in Ansible 2.8 #226

6.1.2 (2019-05-17)

Full Changelog

Fixed bugs:

  • sshd_custom_options used in ssh_config generation #224

Merged pull requests:

  • use correct variable ssh_custom_options in ssh_config template #225 (rndmh3ro)

6.1.1 (2019-05-07)

Full Changelog

Fixed bugs:

  • Missing indent for ChrootDirectory in Match Group sftponly #221

Merged pull requests:

6.1.0 (2019-05-04)

Full Changelog

Implemented enhancements:

  • PermitRootLogin yes #190
  • Match Group' in configuration but 'user' not in connection test specification #188
  • Allow custom values #175
  • use selinux fact to check if selinux is used #220 (rndmh3ro)
  • Remove eol os and add fedora #218 (rndmh3ro)
  • document and move custom variables #217 (rndmh3ro)
  • fix: allow other ssh ports using selinux #214 (guilieb)
  • Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups #203 (alexclear)
  • enable ssh 7.7p1 support #202 (rndmh3ro)

Fixed bugs:

  • Using more than one rule in a Group or User Match block? #207
  • fix multiple match rules not working #207 #208 (rndmh3ro)

6.0.0 (2018-11-18)

Full Changelog

Implemented enhancements:

  • Ubuntu 18.04 support #182
  • Removed DEPRECATION WARNING for apt, using list instead of with_items #201 (jonaswre)
  • Update opensshd.conf.js #196 (ikr0m)

Fixed bugs:

  • GSSAPI support broken. Can't be enabled. #192
  • Unsupported option "rhostsrsaauthentication" "rsaauthentication" #184
  • Weak kex are controlled by wrong variable ? #174
  • Can't connect to server by SSH after applying this role #115

Closed issues:

  • Support StreamLocalBindUnlink #197
  • Add molecule testing #183

Merged pull requests:

5.0.0 (2018-09-16)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • ssh_server_weak_kex variable is not used any where #167
  • opensshd.conf.j2 template type error #159
  • line 56: Bad SSH2 mac spec #135

Closed issues:

  • Travis & Debian 9 "Stretch" #158

Merged pull requests:

  • remove oracle7 from travis tests for the time being #181 (rndmh3ro)

4.4.0 (2017-12-29)

Full Changelog

Implemented enhancements:

  • Changes in selinux section to avoid confusion and some inconsistencies #127
  • Issue #137: Fix sshd_config's "Match Group sftponly" #138 (kekumu)
  • allow configuration of GatewayPorts #136 (pwyliu)
  • Added support for AuthorizedKeysFile config setting #132 (hyrsky)
  • corrected comments explaining the task's behaviour #131 (martinbydefault)
  • Feature/2fa auth #123 (lazzurs)

Fixed bugs:

  • ssh_use_dns used twice in defaults/main.yml #129

Closed issues:

  • coreos support? #142
  • UseLogin is deprecated on CentOS 7 #140
  • sftp Match Group settings overriding global sshd_config settings #137
  • get openssh-version fails on FreeBSD with ansible 2.4.0.0 #133

Merged pull requests:

4.3.1 (2017-08-14)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • System completely unresponsive after role execution #126

Closed issues:

  • role creates duplicate parameter/values after run #124

4.3.0 (2017-08-03)

Full Changelog

Implemented enhancements:

Merged pull requests:

  • Don't overwrite ssh_host_key_files if set manually #125 (oakey-b1)
  • Add comment filter to {{ansible_managed}} string #121 (fazlearefin)

4.2.0 (2017-06-30)

Full Changelog

4.1.3 (2017-06-30)

Full Changelog

Implemented enhancements:

  • Add support to specify a list of revoked public keys #120 (bachp)
  • use package instead of yum so the operation works on Fedora #119 (stenwt)

Fixed bugs:

  • fails in --check mode #111

Merged pull requests:

  • Do not use shell when not needed + Lint whitespaces #118 (krhubert)

4.1.2 (2017-05-31)

Full Changelog

Implemented enhancements:

  • added check_mode: no to "get openssh-version" task, so it won't fail … #117 (wschaft)

Fixed bugs:

  • User login failed after running this module #114

Closed issues:

  • Update readme to include baselines #110

4.1.1 (2017-05-18)

Full Changelog

Implemented enhancements:

4.1.0 (2017-05-09)

Full Changelog

Implemented enhancements:

  • Provide option to allow password server login #106
  • Deprecation warning always_run #82
  • Added support for UseDNS config switch #109 (ftaeger)
  • Added support for UseDNS config switch #108 (ftaeger)

Fixed bugs:

  • create ssh\_config and set permissions to root/644 step repeated #104

Merged pull requests:

  • Added support for PermitTunnel config switch #112 (fti7)
  • Adds option to enable password based authentication on the server #107 (colin-nolan)

4.0.0 (2017-04-22)

Full Changelog

Implemented enhancements:

  • Avoid small primes for DH and allow rebuild of DH primes #89
  • Accommodate missing plugins in kitchen_vagrant_block.rb #100 (fullyint)
  • Use different Hostkeys according to installed ssh version #99 (rndmh3ro)
  • Remove small dh primes #97 (rndmh3ro)
  • Add Ed25519 SSH host key to match commit 28b4df3 in ssh-baseline #96 (techraf)
  • Add support for FreeBSD OpenSSH server and client #95 (jbenden)
  • Replace deprecated always_run with check_mode #93 (jbenden)
  • Defaults: Remove DSA from SSH host keys to match ssh-baseline profile #92 (techraf)
  • use new docker images #91 (rndmh3ro)
  • use centos 7 in vagrant, limit ssh conns #88 (rndmh3ro)
  • remove support for ansible 1.9 #87 (rndmh3ro)
  • make ChallengeResponseAuthentication configurable #85 (rndmh3ro)
  • List only one Port in ssh config #84 (fullyint)
  • Fix ssh config to handle custom options per Host #83 (fullyint)

Fixed bugs:

  • SELinux-specific task still runs on SELinux-disabled systems #74

Closed issues:

  • Should compression be opt-in? #90
  • The role fails when conditionally included #86

Merged pull requests:

3.2.0 (2016-10-24)

Full Changelog

Implemented enhancements:

  • CentOS 7 selinux dependencies #76
  • install selinux dependencies, check for already installed semodule #79 (rndmh3ro)
  • Parameterise Banner and DebianBanner as defaults #77 (tsenart)

Fixed bugs:

  • Some tasks are always run even if they are not needed #78
  • Selinux issue #75
  • Running the tests locally #61

Closed issues:

  • Applied-Crypto-Hardening project and new cyphers. #28

3.1.0 (2016-08-03)

Full Changelog

Implemented enhancements:

  • use new ciphers, kex, macs and privilege separation for redhat family 7 or later #72

3.1 (2016-08-03)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • semodule ssh_password error on AWS Centos 7 #64

Closed issues:

  • ssh\_server\_ports a bit misleading in the vars section? #62
  • sftp_enabled: false will break Ansible's template module #55
  • Move cipher/kex/mac vars to defaults #53

Merged pull requests:

3.0.0 (2016-03-13)

Full Changelog

Implemented enhancements:

Closed issues:

  • Install from ansible galaxy missing files tasks #50
  • should generate new ssh host key files #45

Merged pull requests:

2.0.0 (2015-11-28)

Full Changelog

Closed issues:

  • Fix directory structure. #43

Merged pull requests:

1.2.1 (2015-10-16)

Full Changelog

Merged pull requests:

1.2.0 (2015-09-28)

Full Changelog

1.2 (2015-09-28)

Full Changelog

Merged pull requests:

  • bugfix. Now option true for PrintLastLog is available again #39 (fitz123)
  • Add more travis-tests #38 (rndmh3ro)
  • Support for selinux and pam. fix #23 #35 (rndmh3ro)

1.1.0 (2015-09-01)

Full Changelog

1.1 (2015-09-01)

Full Changelog

Closed issues:

  • ssh_ports - individual client/server config #33
  • UsePAM should probably default to yes on Red Hat Linux 7 #23

Merged pull requests:

  • Change variable for hmac from server to client #37 (rndmh3ro)
  • Update kitchen-ansible, remove separate debian install #36 (rndmh3ro)
  • Separate ssh client and server ports. Fix #33 #34 (rndmh3ro)
  • update common kitchen.yml platforms ansible, kitchen_debian.yml platforms ansible #32 (chris-rock)
  • Make MaxAuthTries configurable #31 (rndmh3ro)
  • Change oneliner if-statements to be more readable #30 (rndmh3ro)
  • Make ssh client password login configurable. #29 (ypid)
  • Fix join-filter, jinja-cases, intendation #27 (rndmh3ro)
  • Short role review. Fixed role when ssh_client_weak_kex == true. #26 (ypid)
  • Make it configurable to only harden ssh client/server or both default. #25 (ypid)
  • Separate system-vars from editable vars #24 (rndmh3ro)
  • Add correct CONTRIB-file #22 (rndmh3ro)
  • Add Ansible Galaxy badge #21 (rndmh3ro)
  • fix configuration of playbook path #20 (chris-rock)
  • Debian install script #19 (rndmh3ro)

1.0.0 (2015-04-30)

Full Changelog

Implemented enhancements:

Closed issues:

  • add travis test for ubuntu 12.04 #7
  • Use handler for sshd restart #6
  • Running test-kitchen fails #2

Merged pull requests:

* This Changelog was automatically generated by github_changelog_generator