Skip to content

Commit

Permalink
Merge pull request dev-sec#217 from dev-sec/move_custom
Browse files Browse the repository at this point in the history
document and move custom variables
  • Loading branch information
rndmh3ro authored Apr 29, 2019
2 parents 1726190 + 3d5ebcd commit 9d52797
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 29 deletions.
17 changes: 17 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,23 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_custom_options` | [] | Custom lines for SSH client configuration |
|`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |

## Configuring settings not listed in role-variables

If you want to configure ssh options that are not listed above, you can use `ssh_custom_options` (for `/etc/ssh/ssh_config`) or `sshd_custom_options` (for `/etc/ssh/sshd_config`) to set them. These options will be set on the **beginning** of the file so you can override options further down in the file.

Example playbook:

```
- hosts: localhost
roles:
- dev-sec.ssh-hardening
vars:
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"
```

## Example Playbook

- hosts: localhost
Expand Down
14 changes: 9 additions & 5 deletions templates/openssh.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,15 @@

# This is the ssh client system-wide configuration file.
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
#

{% if sshd_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in sshd_custom_options %}
{{ line }}
{% endfor %}
{% endif %}

# Basic configuration
# ===================

Expand Down Expand Up @@ -115,7 +123,3 @@ Compression yes
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
{% endif %}

{% for line in ssh_custom_options %}
{{ line }}
{% endfor %}
51 changes: 27 additions & 24 deletions templates/opensshd.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
# This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.

{% if sshd_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in sshd_custom_options -%}
{{ line }}
{% endfor %}
{% endif %}

# Basic configuration
# ===================

Expand Down Expand Up @@ -143,15 +151,15 @@ DenyGroups {{ssh_deny_groups}}
AllowGroups {{ssh_allow_groups}}
{% endif %}

{% if ssh_authorized_keys_file %}
{% if ssh_authorized_keys_file -%}
AuthorizedKeysFile {{ ssh_authorized_keys_file }}
{% endif %}

{% if ssh_trusted_user_ca_keys_file %}
{% if ssh_trusted_user_ca_keys_file -%}
TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }}
{% if ssh_authorized_principals_file %}
{% if ssh_authorized_principals_file -%}
AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
{% endif %}
{% endif %}
{% endif %}

# Network
Expand All @@ -175,13 +183,13 @@ AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }}
# no real advantage without denied shell access
AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}

{% if ssh_gateway_ports|bool %}
{% if ssh_gateway_ports|bool -%}
# Port forwardings are forced to bind to the wildcard address
GatewayPorts yes
{% elif ssh_gateway_ports == 'clientspecified' %}
{% elif ssh_gateway_ports == 'clientspecified' -%}
# Clients allowed to specify which address to bind port forwardings to
GatewayPorts clientspecified
{% else %}
{% else -%}
# Do not allow remote port forwardings to bind to non-loopback addresses.
GatewayPorts no
{% endif %}
Expand All @@ -193,12 +201,12 @@ X11UseLocalhost yes
# User environment configuration
# ==============================

{% if ssh_server_permit_environment_vars %}
{% if ssh_server_permit_environment_vars -%}
PermitUserEnvironment yes
{% for item in ssh_server_permit_environment_vars %}
{% for item in ssh_server_permit_environment_vars -%}
AcceptEnv {{ item }}
{% endfor %}
{% else %}
{% else -%}
PermitUserEnvironment no
{% endif %}

Expand All @@ -217,18 +225,14 @@ PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}

Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}

{% if ansible_os_family == 'Debian' %}
{% if ansible_os_family == 'Debian' -%}
DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
{% endif %}

# Reject keys that are explicitly blacklisted
RevokedKeys /etc/ssh/revoked_keys

{% for line in sshd_custom_options %}
{{ line }}
{% endfor %}

{% if sftp_enabled %}
{% if sftp_enabled -%}
# SFTP matching configuration
# ===========================
# Configuration, in case SFTP is used
Expand All @@ -240,7 +244,7 @@ Subsystem sftp internal-sftp -l INFO -f LOCAL6
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ForceCommand internal-sftp -l INFO -f LOCAL6
{% if sftp_chroot %}
{% if sftp_chroot -%}
ChrootDirectory {{ sftp_chroot_dir }}
{% endif %}
AllowTcpForwarding no
Expand All @@ -250,26 +254,25 @@ Match Group sftponly
X11Forwarding no
{% endif %}

{% if ssh_server_match_group %}
{% if ssh_server_match_group -%}
# Group matching configuration
# ============================

{% for item in ssh_server_match_group %}
{% for item in ssh_server_match_group -%}
Match Group {{ item.group }}
{% for rule in item.rules %}
{% for rule in item.rules -%}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
{% endif %}


{% if ssh_server_match_user %}
{% if ssh_server_match_user -%}
# User matching configuration
# ===========================

{% for item in ssh_server_match_user %}
{% for item in ssh_server_match_user -%}
Match User {{ item.user }}
{% for rule in item.rules %}
{% for rule in item.rules -%}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
Expand Down

0 comments on commit 9d52797

Please sign in to comment.