cmavr8/secure-ssh.yml

## secure-ssh.yml
---
# SSH server settings, in line with https://stribika.github.io/2015/01/04/secure-secure-shell.html
# Before using, change myhosts to your hosts' nickname and myuser to your username (two instances! make sure you replace both or you'll be locked out of ssh!)
- hosts: myhosts
  become: true
  remote_user: myuser
  tasks:
    # Key exchange, ciphers and MACs
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^KexAlgorithms' line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'

    - lineinfile: dest=/etc/ssh/sshd_config regexp='^Ciphers' line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

    # I have removed hmac-ripemd160 and hmac-ripemd160-etm@openssh.com from the following line, as Mozilla's SSH guidelines are stricter and avoid using them. Just to be on the safe side.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^MACs' line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

    - name: Enable the most secure server auth algos and protocol version
      lineinfile: dest=/etc/ssh/sshd_config regexp='^Protocol 2' line='Protocol 2'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_ed25519_key' line='HostKey /etc/ssh/ssh_host_ed25519_key'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_rsa_key' line='HostKey /etc/ssh/ssh_host_rsa_key'

    - name: Disable bad ones
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key'
        state: absent
    - lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^HostKey /etc/ssh/ssh_host_dsa_key'
        state: absent
    - name: And remove the files
      file:
        dest: /etc/ssh/ssh_host_ecdsa_key.pub
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_ecdsa_key
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_dsa_key.pub
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_dsa_key
        state: absent

    - name: Password based logins are disabled - only public key based logins are allowed.
      lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'

    # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^LogLevel' line='LogLevel VERBOSE'

    # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^Subsystem sftp' line='Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO'

    # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user
    # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
    # Additionally, only tools such as systemd and auditd record the process session id.
    # On other OSes, the user session id is not necessarily recorded at all kernel-side.
    # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'

    # Use kernel sandbox mechanisms where possible in unprivileged processes
    # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^UsePrivilegeSeparation' line='UsePrivilegeSeparation sandbox'

    # Only allow specific users to login remotely (may be more suitable to change this to AllowGroups).
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^AllowUsers' line='AllowUsers myuser'


    # And some client-side, ssh_config modifications
    - name: Generic ssh client settings. Includes special settings for Github; it needs diffie-hellman-group-exchange-sha1 some of the time but not always.
      blockinfile:
        dest: /etc/ssh/ssh_config
        block: |
          Host *
              KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
              PasswordAuthentication no
              ChallengeResponseAuthentication no
              PubkeyAuthentication yes
              HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
              MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
              Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
              UseRoaming no

          Host github.com
              KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

    - debug:
        msg: "If needed, Generate client keys using the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100"
	---
	# SSH server settings, in line with https://stribika.github.io/2015/01/04/secure-secure-shell.html
	# Before using, change myhosts to your hosts' nickname and myuser to your username (two instances! make sure you replace both or you'll be locked out of ssh!)
	- hosts: myhosts
	become: true
	remote_user: myuser
	tasks:
	# Key exchange, ciphers and MACs
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^KexAlgorithms' line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'

	- lineinfile: dest=/etc/ssh/sshd_config regexp='^Ciphers' line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

	# I have removed hmac-ripemd160 and hmac-ripemd160-etm@openssh.com from the following line, as Mozilla's SSH guidelines are stricter and avoid using them. Just to be on the safe side.
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^MACs' line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

	- name: Enable the most secure server auth algos and protocol version
	lineinfile: dest=/etc/ssh/sshd_config regexp='^Protocol 2' line='Protocol 2'
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_ed25519_key' line='HostKey /etc/ssh/ssh_host_ed25519_key'
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_rsa_key' line='HostKey /etc/ssh/ssh_host_rsa_key'

	- name: Disable bad ones
	lineinfile:
	dest: /etc/ssh/sshd_config
	regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key'
	state: absent
	- lineinfile:
	dest: /etc/ssh/sshd_config
	regexp: '^HostKey /etc/ssh/ssh_host_dsa_key'
	state: absent
	- name: And remove the files
	file:
	dest: /etc/ssh/ssh_host_ecdsa_key.pub
	state: absent
	- file:
	dest: /etc/ssh/ssh_host_ecdsa_key
	state: absent
	- file:
	dest: /etc/ssh/ssh_host_dsa_key.pub
	state: absent
	- file:
	dest: /etc/ssh/ssh_host_dsa_key
	state: absent

	- name: Password based logins are disabled - only public key based logins are allowed.
	lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'

	# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^LogLevel' line='LogLevel VERBOSE'

	# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^Subsystem sftp' line='Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO'

	# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user
	# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
	# Additionally, only tools such as systemd and auditd record the process session id.
	# On other OSes, the user session id is not necessarily recorded at all kernel-side.
	# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'

	# Use kernel sandbox mechanisms where possible in unprivileged processes
	# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^UsePrivilegeSeparation' line='UsePrivilegeSeparation sandbox'

	# Only allow specific users to login remotely (may be more suitable to change this to AllowGroups).
	- lineinfile: dest=/etc/ssh/sshd_config regexp='^AllowUsers' line='AllowUsers myuser'


	# And some client-side, ssh_config modifications
	- name: Generic ssh client settings. Includes special settings for Github; it needs diffie-hellman-group-exchange-sha1 some of the time but not always.
	blockinfile:
	dest: /etc/ssh/ssh_config
	block: \|
	Host *
	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
	PasswordAuthentication no
	ChallengeResponseAuthentication no
	PubkeyAuthentication yes
	HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
	UseRoaming no

	Host github.com
	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

	- debug:
	msg: "If needed, Generate client keys using the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100"