This repository was archived by the owner on Dec 26, 2020. It is now read-only.
Ansible-ssh-hardening 5.0.0
5.0.0 (2018-09-16)
Breaking Changes
Removed the following variables:
| Name | Default Value | Description |
|---|---|---|
ssh_client_cbc_required |
false | true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. |
ssh_server_cbc_required |
false | true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. |
ssh_client_weak_hmac |
false | true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. |
ssh_server_weak_hmac |
false | true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. |
ssh_client_weak_kex |
false | true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. |
ssh_server_weak_kex |
false | true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. |
And replaced them with:
| Name | Default Value | Description |
|---|---|---|
ssh_macs |
[] | Change this list to overwrite macs. Defaults found in defaults/main.yml |
ssh_kex |
[] | Change this list to overwrite kexs. Defaults found in defaults/main.yml |
ssh_ciphers |
[] | Change this list to overwrite ciphers. Defaults found in defaults/main.yml |
Implemented enhancements:
- Fixing the broken Ansible dependency mechanism #176
- Include new baseline-tests #161
- GlobalKnownHostsFile missing from ssh_config #155
- Options not compatible with OpenSSH server 7.6 #151
- Kitchen travis #180 (rndmh3ro)
- update config of kex, macs, ciphers #179 (rndmh3ro)
- add debian 9 and a comment #178 (rndmh3ro)
- Dependency flag #177 (jcheroske)
- Travis #173 (rndmh3ro)
- OpenBSD Support #171 (jbronn)
- Implement disabling chroot for sftp #166 (towo)
- New tests #163 (rndmh3ro)
- yaml-lint update, refactor tasks #162 (rndmh3ro)
- Handle a few deprecated OpenSSH options #160 (ageis)
- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. #157 (gdelafond)
- Adds sshd config for keyboard-interactive pam device #156 (rcII)
- Use package state 'present' since 'installed' is deprecated #154 (Normo)
- conform to current dev-sec/ssh-baseline #150 (alval5280)
- new parameter: ssh_max_startups #149 (aeschbacher)
- Update syntax to 2.4 #148 (thomasjpfan)
- Amazonlinux-Testing #147 (rndmh3ro)
- Fixed trailing whitespace #146 (zbrojny120)
- Add support for Amazon Linux #145 (woneill)
Fixed bugs:
- ssh_server_weak_kex variable is not used any where #167
- opensshd.conf.j2 template type error #159
- line 56: Bad SSH2 mac spec #135
Closed issues:
- Travis & Debian 9 "Stretch" #158
Merged pull requests: