This repository has been archived by the owner on Dec 26, 2020. It is now read-only.
Releases: dev-sec/ansible-ssh-hardening
Releases · dev-sec/ansible-ssh-hardening
ansible-ssh-hardening 8.0.0
8.0.0 (2020-04-21)
Breaking Changes:
- We removed configuring 2fa, as it does not belong into this role (#269)
ssh_google_authandssh_pam_deviceare gone and replaced bysshd_authenticationmethods(#245)ssh_allow_tcp_forwardingis no longer a bool but a string because it accepts other values as yes/no (#257)
Implemented enhancements:
- Remove dependency on bash #265
- Possibility to use other value than yes/no for AllowTCPforwarding #255
- Add support for Debian Buster in ansible-ssh-hardening #248
- Some options not configurable via the role #239
- PermitUserEnvironment should not be conflated with AcceptEnv #232
- Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
- Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
- Removing 2fa #269 (dennisse)
- Renaming Ansible variables discovered from systems #268 (PovilasGT)
- Do not use bash to get ssh version #266 (kljensen)
- Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
- Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
- SFTP: set default umask to 0027 #252 (Slamdunk)
- Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
- Feature: Debian 10 (Buster) support #249 (jaredledvina)
- fix broken packages, extend README with furhter development instructions #246 (szEvEz)
- refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
- RHEL/OL/CentOS 8 support #242 (Furragen)
- Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)
- set UsePAM to yes by default #233 (rndmh3ro)
Fixed bugs:
- HostKey comment "# Req 20" breaks key based auth #262
- SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
- Google 2fa authentication problem #170
- vars: remove empty main.yml file #274 (paulfantom)
- Only manage moduli when hardening server #267 (jbronn)
- Remove comment from sshd config HostKey param #263 (abtreece)
Ansible-ssh-hardening 7.0.0
7.0.0 (2019-09-17)
Implemented enhancements:
Fixed bugs:
- Unable to connect after applying the role (Ubuntu 18.04, AWS EC2) #229
Closed issues:
- Can't connect to new instance created from hardened image #189
Merged pull requests:
- changed string comparison to version comparison #234 (gobind-singh)
Ansible-ssh-hardening 6.2.0
6.2.0 (2019-08-07)
Implemented enhancements:
- added support for
ssh\_server\_match\_address(#230) #231 (MatthiasLohr)
Closed issues:
- Add new option ssh_server_match_address #230
Ansible-ssh-hardening 6.1.3
ansible-ssh-hardening 6.1.2
Ansible-ssh-hardening 6.1.1
Ansible-ssh-hardening 6.1.0
6.1.0 (2019-05-04)
Implemented enhancements:
- PermitRootLogin yes #190
- Match Group' in configuration but 'user' not in connection test specification #188
- Allow custom values #175
- use selinux fact to check if selinux is used #220 (rndmh3ro)
- Remove eol os and add fedora #218 (rndmh3ro)
- document and move custom variables #217 (rndmh3ro)
- fix: allow other ssh ports using selinux #214 (guilieb)
- Make ansible-lint happy #204 (alexclear)
- Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups #203 (alexclear)
- enable ssh 7.7p1 support #202 (rndmh3ro)
- Removed DEPRECATION WARNING for apt, using list instead of with_items #201 (jonaswre)
Fixed bugs:
Ansible-ssh-hardening 6.0.0
6.0.0 (2018-11-18)
Implemented enhancements:
Fixed bugs:
- GSSAPI support broken. Can't be enabled. #192
- Unsupported option "rhostsrsaauthentication" "rsaauthentication" #184
- Weak kex are controlled by wrong variable ? #174
- Can't connect to server by SSH after applying this role #115
Closed issues:
Merged pull requests:
Ansible-ssh-hardening 5.0.0
5.0.0 (2018-09-16)
Breaking Changes
Removed the following variables:
| Name | Default Value | Description |
|---|---|---|
ssh_client_cbc_required |
false | true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. |
ssh_server_cbc_required |
false | true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. |
ssh_client_weak_hmac |
false | true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. |
ssh_server_weak_hmac |
false | true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. |
ssh_client_weak_kex |
false | true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. |
ssh_server_weak_kex |
false | true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. |
And replaced them with:
| Name | Default Value | Description |
|---|---|---|
ssh_macs |
[] | Change this list to overwrite macs. Defaults found in defaults/main.yml |
ssh_kex |
[] | Change this list to overwrite kexs. Defaults found in defaults/main.yml |
ssh_ciphers |
[] | Change this list to overwrite ciphers. Defaults found in defaults/main.yml |
Implemented enhancements:
- Fixing the broken Ansible dependency mechanism #176
- Include new baseline-tests #161
- GlobalKnownHostsFile missing from ssh_config #155
- Options not compatible with OpenSSH server 7.6 #151
- Kitchen travis #180 (rndmh3ro)
- update config of kex, macs, ciphers #179 (rndmh3ro)
- add debian 9 and a comment #178 (rndmh3ro)
- Dependency flag #177 (jcheroske)
- Travis #173 (rndmh3ro)
- OpenBSD Support #171 (jbronn)
- Implement disabling chroot for sftp #166 (towo)
- New tests #163 (rndmh3ro)
- yaml-lint update, refactor tasks #162 (rndmh3ro)
- Handle a few deprecated OpenSSH options #160 (ageis)
- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. #157 (gdelafond)
- Adds sshd config for keyboard-interactive pam device #156 (rcII)
- Use package state 'present' since 'installed' is deprecated #154 (Normo)
- conform to current dev-sec/ssh-baseline #150 (alval5280)
- new parameter: ssh_max_startups #149 (aeschbacher)
- Update syntax to 2.4 #148 (thomasjpfan)
- Amazonlinux-Testing #147 (rndmh3ro)
- Fixed trailing whitespace #146 (zbrojny120)
- Add support for Amazon Linux #145 (woneill)
Fixed bugs:
- ssh_server_weak_kex variable is not used any where #167
- opensshd.conf.j2 template type error #159
- line 56: Bad SSH2 mac spec #135
Closed issues:
- Travis & Debian 9 "Stretch" #158
Merged pull requests:
ansible-ssh-hardening 4.4.0
4.4.0 (2017-12-29)
Implemented enhancements:
- Changes in selinux section to avoid confusion and some inconsistencies #127
- Issue #137: Fix sshd_config's "Match Group sftponly" #138 (kekumu)
- allow configuration of GatewayPorts #136 (pwyliu)
- Added support for AuthorizedKeysFile config setting #132 (hyrsky)
- corrected comments explaining the task's behaviour #131 (martinbydefault)
- Add Two-Factor Authentication #123 (lazzurs)
Fixed bugs:
Closed issues:
- coreos support? #142
- UseLogin is deprecated on CentOS 7 #140
- sftp Match Group settings overriding global sshd_config settings #137
- get openssh-version fails on FreeBSD (with ansible 2.4.0.0) #133
Merged pull requests: