Secure SSH configuration ansible playbook

secure-ssh.yml

---
# SSH server settings, in line with https://stribika.github.io/2015/01/04/secure-secure-shell.html
# Before using, change myhosts to your hosts' nickname and myuser to your username (two instances! make sure you replace both or you'll be locked out of ssh!)
- hosts: myhosts
  become: true
  remote_user: myuser
  tasks:
    # Key exchange, ciphers and MACs
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^KexAlgorithms' line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
    
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^Ciphers' line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
        
    # I have removed hmac-ripemd160 and hmac-ripemd160-etm@openssh.com from the following line, as Mozilla's SSH guidelines are stricter and avoid using them. Just to be on the safe side.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^MACs' line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

    - name: Enable the most secure server auth algos and protocol version
      lineinfile: dest=/etc/ssh/sshd_config regexp='^Protocol 2' line='Protocol 2' 
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_ed25519_key' line='HostKey /etc/ssh/ssh_host_ed25519_key'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_rsa_key' line='HostKey /etc/ssh/ssh_host_rsa_key'   

    - name: Disable bad ones
      lineinfile: 
        dest: /etc/ssh/sshd_config 
        regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key' 
        state: absent
    - lineinfile: 
        dest: /etc/ssh/sshd_config 
        regexp: '^HostKey /etc/ssh/ssh_host_dsa_key'
        state: absent
    - name: And remove the files
      file:
        dest: /etc/ssh/ssh_host_ecdsa_key.pub
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_ecdsa_key
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_dsa_key.pub
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_dsa_key
        state: absent
 
    - name: Password based logins are disabled - only public key based logins are allowed.
      lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'   
      
    # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^LogLevel' line='LogLevel VERBOSE'
 
    # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^Subsystem sftp' line='Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO'
 
    # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user
    # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
    # Additionally, only tools such as systemd and auditd record the process session id.
    # On other OSes, the user session id is not necessarily recorded at all kernel-side.
    # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'
 
    # Use kernel sandbox mechanisms where possible in unprivileged processes
    # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^UsePrivilegeSeparation' line='UsePrivilegeSeparation sandbox'
    
    # Only allow specific users to login remotely (may be more suitable to change this to AllowGroups).
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^AllowUsers' line='AllowUsers myuser'


    # And some client-side, ssh_config modifications
    - name: Generic ssh client settings. Includes special settings for Github; it needs diffie-hellman-group-exchange-sha1 some of the time but not always.
      blockinfile:
        dest: /etc/ssh/ssh_config
        block: |
          Host *
              KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
              PasswordAuthentication no
              ChallengeResponseAuthentication no
              PubkeyAuthentication yes
              HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
              MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
              Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
              UseRoaming no

          Host github.com
              KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

    - debug:
        msg: "If needed, Generate client keys using the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100"

This is a popular result on Google and it's VERY helpful.

I've updated the code to use modern Ansible syntax with some added functions:

• Restart the SSH service once if any of the options are modified
• Generate the Host Keys for ed25519 and RSA if they don't already exist (otherwise do nothing)
  
  cron410/ff726833d6c55683cf267a92ad5ef886