This repository has been archived by the owner on Dec 26, 2020. It is now read-only.
Releases: dev-sec/ansible-ssh-hardening
Releases · dev-sec/ansible-ssh-hardening
ansible-ssh-hardening 4.3.1
4.3.1 (2017-08-14)
Implemented enhancements:
- Remove duplicate ssh_use_dns #130 (MagnusEnger)
Fixed bugs:
- ssh_use_dns used twice in defaults/main.yml #129
Closed issues:
ansible-ssh-hardening 4.3.0
4.3.0 (2017-08-03)
Implemented enhancements:
- Fix ansible.cfg settings #122 (fazlearefin)
- Finish 94 #116 (rndmh3ro)
This new version introduces many new variables! See the following list for details:
| Name | Default Value | Description |
|---|---|---|
ssh_banner |
false |
true to print a banner on login |
ssh_client_hardening |
true |
false to stop harden the client |
ssh_client_port |
'22' |
Specifies the port number to connect on the remote host. |
ssh_compression |
false |
Specifies whether compression is enabled after the user has authenticated successfully. |
ssh_max_auth_retries |
2 |
Specifies the maximum number of authentication attempts permitted per connection. |
ssh_print_debian_banner |
false |
true to print debian specific banner |
ssh_server_enabled |
true |
false to disable the opensshd server |
ssh_server_hardening |
true |
false to stop harden the server |
ssh_server_match_group |
'' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
ssh_server_match_user |
'' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
ssh_server_permit_environment_vars |
false |
true to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
ssh_use_dns |
false |
Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
Merged pull requests:
- Don't overwrite ssh_host_key_files if set manually #125 (oakey-b1)
- Add comment filter to {{ansible_managed}} string #121 (fazlearefin)
ansible-ssh-hardening 4.2.0
Ansible-ssh-hardening 4.1.2
Ansible-ssh-hardening 4.1.1
ansible-ssh-hardening 4.1.0
4.1.0 (2017-05-09)
Implemented enhancements:
- Provide option to allow password server login #106
- Deprecation warning always_run #82
- Added support for UseDNS config switch #109 #108 (ftaeger)
Fixed bugs:
create ssh_config and set permissions to root/644step repeated #104
Merged pull requests:
- Added support for PermitTunnel config switch #112 (fti7)
- Adds option to enable password based authentication on the server #107 (colin-nolan)
ansible-ssh-hardening 4.0.0
4.0.0 (2017-04-22)
Breaking Changes:
-
remove support for ansible 1.9 #87 (rndmh3ro)
- Ansible 1.9 is not supported anymore
-
Change the ssh_client_ports list variable into a simple non-list variable named ssh_client_port. #84 (fullyint)
- Before:
{% for port in ssh_client_ports -%} Port {{port}} {% endfor %}- After:
Port {{ ssh_client_port }} -
Fix ssh config to handle custom options per Host #83 (fullyint)
- Before:
# one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons! ssh_remote_hosts: [] # ssh- After:
# Hosts with custom options. # ssh # Example: # ssh_remote_hosts: # - names: ['example.com', 'example2.com'] # options: ['Port 2222', 'ForwardAgent yes'] # - names: ['example3.com'] # options: ['StrictHostKeyChecking no'] ssh_remote_hosts: []
Implemented enhancements:
- Use different Hostkeys according to installed ssh version #99 (rndmh3ro)
- Remove small dh primes #97 (rndmh3ro)
- Add Ed25519 SSH host key to match ssh-baseline #96 (techraf)
- Add support for FreeBSD OpenSSH server and client #95 (jbenden)
- Defaults: Remove DSA from SSH host keys to match ssh-baseline profile #92 (techraf)
- make ChallengeResponseAuthentication configurable #85 (rndmh3ro)
Fixed bugs:
- SELinux-specific task still runs on SELinux-disabled systems #74
- List only one Port in ssh config #84 (fullyint)
- Fix ssh config to handle custom options per Host #83 (fullyint)
Closed issues:
Merged pull requests:
- remove duplicate section #105 (rndmh3ro)
- Fix ssh_server_ports and ssh_client_ports documentation bug #80 (kivilahtio)
Other improvements:
ansible-ssh-hardening 3.2.0
3.2.0 (2016-10-24)
Implemented enhancements:
Fixed bugs:
- Some tasks are always run even if they are not needed #78
- Selinux issue #75
- Running the tests locally #61
- SELinux-specific task still runs on SELinux-disabled systems #74
Closed issues:
- Applied-Crypto-Hardening project and new cyphers. #28
Merged pull requests:
ansible-ssh-hardening 3.1.0
Implemented enhancements:
- Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 #73 (atomic111)
- add docker support #71 (rndmh3ro)
- add always_run: true to task. fix #64 #69 (rndmh3ro)
- Debian8 #68 (rndmh3ro)
- Fixed KexAlgorithms Conditional Statement #66 (cjsheets)
- Moves vars to defaults #60 (conorsch)
Closed issues:
- semodule ssh_password error on AWS Centos 7 #64
- Add Xenial / Ubuntu 16.04 LTS to meta/main.yml #63
ssh\_server\_portsa bit misleading in the vars section? #62- sftp_enabled: false will break Ansible's template module #55
- Move cipher/kex/mac vars to defaults #53
Merged pull requests:
ansible-ssh-hardening 3.0.0
Implemented enhancements:
- Added sftp_enabled, sftp_chroot_dir, and ssh_client_roaming from the … #57 (shirokatze)
- add test support for ansible 1.9 and 2.0 #56 (rndmh3ro)
- update platforms in meta-file #52 (rndmh3ro)
- add webhook for ansible galaxy #51 (rndmh3ro)
- Disable experimental client roaming. #49 (rndmh3ro)
- use inspec as test framework #48 (chris-rock)
- Change categories to tags for upcoming ansible 2.0 #47 (rndmh3ro)
- add changelog generator #46 (chris-rock)
Closed issues: