update..

2024-10-19 10:18:05 +02:00
parent 134eb18465
commit c771ba2095
6 changed files with 319 additions and 74 deletions
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -10,11 +10,11 @@ Port {{ item }}
 {% endfor %}

 # Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
-# 
+#
 #    ListenAddress host|IPv4_addr|IPv6_addr
 #    ListenAddress host|IPv4_addr:port
 #    ListenAddress [host|IPv6_addr]:port
-# 
+#
 # If port is not specified, sshd will listen on the address and all Port options specified.  The default
 # is to listen on all local addresses.  Multiple ListenAddress options are permitted.
 #
@ -30,7 +30,7 @@ ListenAddress {{ item }}
 {% endif %}

 # Specifies the protocol versions sshd(8) supports.
-# The possible values are '1' , `2' and '1,2'.
+# The possible values are '1' , '2' and '1,2'.
 # The default is '2'.
 Protocol 2

@ -49,7 +49,7 @@ HostKey {{ item }}
 #ServerKeyBits 768

 # Specifies the maximum number of concurrent unauthenticated connections
-# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
+# to the SSH daemon. See sshd_config(5) for specifiing the three colon
 # separated values.
 # The default is 10.
 #MaxStartups 10:30:100
@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
 # The server disconnects after this time if the user has not
 # successfully logged in.
 # The default is 120 seconds.
-LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
+LoginGraceTime {{ sshd_login_grace_time | default('120') }}

 # Specifies whether root can log in using ssh(1).
 # The default is "yes".
@ -97,15 +97,15 @@ LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
 #PermitRootLogin yes
 PermitRootLogin {{ sshd_permit_root_login }}

-# Specifies whether sshd(8) should check file modes and ownership of the 
-# user's files and home directory before accepting login.  This is normally 
-# desirable because novices sometimes accidentally leave their directory or 
-# files world-writable. Note that this does not apply to ChrootDirectory, 
-# whose permissions and ownership are checked unconditionally.  
+# Specifies whether sshd(8) should check file modes and ownership of the
+# user's files and home directory before accepting login.  This is normally
+# desirable because novices sometimes accidentally leave their directory or
+# files world-writable. Note that this does not apply to ChrootDirectory,
+# whose permissions and ownership are checked unconditionally.
 # The default is “yes”.
 StrictModes yes

-# Specifies whether pure RSA authentication is allowed. This option 
+# Specifies whether pure RSA authentication is allowed. This option
 # applies to protocol version 1 only.
 # The default is “yes”.
 #
@ -114,20 +114,20 @@ StrictModes yes
 #
 #RSAAuthentication yes

-# Specifies whether public key authentication is allowed. Note that this 
+# Specifies whether public key authentication is allowed. Note that this
 # option applies to protocol version 2 only.
 # The default is “yes”.
 PubkeyAuthentication {{ sshd_pubkey_authentication }}

-# Specifies the file that contains the public keys that can be used for 
-# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
+# Specifies the file that contains the public keys that can be used for
+# user authentication.  The format is described in the AUTHORIZED_KEYS FILE
 # FORMAT section of sshd(8).
 # AuthorizedKeysFile may contain tokens of the form %T which are substituted
-# during connection setup. The following tokens are defined: %% is replaced 
-# by a literal '%', %h is replaced by the home directory of the user being 
-# authenticated, and %u is replaced by the username of that user. After 
-# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
-# to the user's home directory. Multiple files may be listed, separated by 
+# during connection setup. The following tokens are defined: %% is replaced
+# by a literal '%', %h is replaced by the home directory of the user being
+# authenticated, and %u is replaced by the username of that user. After
+# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
+# to the user's home directory. Multiple files may be listed, separated by
 # whitespace.
 # The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
@ -139,9 +139,9 @@ AuthorizedKeysFile {{ sshd_authorized_keys_file }}
 #PasswordAuthentication yes
 PasswordAuthentication {{ sshd_password_authentication }}

-# When password authentication is allowed, it specifies whether the 
+# When password authentication is allowed, it specifies whether the
 # server allows login to accounts with empty password strings.
-# The default is “no”.
+# The default is 'no'.
 PermitEmptyPasswords no

 {% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
@ -150,7 +150,7 @@ PermitEmptyPasswords no
 KbdInteractiveAuthentication no
 {% else %}
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
-# The default is “yes”.
+# The default is 'yes'.
 ChallengeResponseAuthentication no
 {% endif %}

@ -166,15 +166,15 @@ IgnoreRhosts yes
 # similar for protocol version 2
 HostbasedAuthentication no

-# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
-# during RhostsRSAAuthentication or HostbasedAuthentication. 
+# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
+# during RhostsRSAAuthentication or HostbasedAuthentication.
 # The default is “no”.
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes

 # If specified, login is allowed only for user names that match one of
 # the patterns.
-# The allow/deny directives are processed in the following order: DenyUsers, 
+# The allow/deny directives are processed in the following order: DenyUsers,
 # AllowUsers, DenyGroups, and finally AllowGroups.
 # By default, login is allowed for all users.
 {% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
@ -195,10 +195,10 @@ AllowUsers {{ fact_sshd_allowed_users }}
 UsePAM {{ sshd_use_pam }}

 # Specifies whether login(1) is used for interactive login sessions.
-# Note that login(1) is never used for remote command execution. 
-# Note also, that if this is enabled, X11Forwarding will be disabled 
+# Note that login(1) is never used for remote command execution.
+# Note also, that if this is enabled, X11Forwarding will be disabled
 # because login(1) does not know how to handle xauth(1) cookies. If
-# UsePrivilegeSeparation is specified, it will be disabled after 
+# UsePrivilegeSeparation is specified, it will be disabled after
 # authentication.
 # The default is “no”.
 #UseLogin no
@ -207,6 +207,24 @@ UsePAM {{ sshd_use_pam }}
 #-----------------------------
 # Cryptography
 #-----------------------------
+{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %}
+
+# RequiredRSASize
+#
+# Specifies the minimum RSA key size (in bits) that sshd(8) will accept.  User and host-based
+# authentication keys smaller than this limit will be refused.
+#
+# The default is 1024 bits.
+#
+# Note that this limit may only be raised from the default.
+#
+{% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %}
+RequiredRSASize {{ sshd_required_rsa_size }}
+{% else %}
+# RequiredRSASize 1024
+{% endif %}
+{% endif %}
+{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}

 # PubkeyAcceptedAlgorithms
 #
@ -231,14 +249,12 @@ UsePAM {{ sshd_use_pam }}
 #      sk-ecdsa-sha2-nistp256@openssh.com,
 #      rsa-sha2-512,rsa-sha2-256
 #
-
-{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
+# The list of available signature algorithms may also be obtained using
+#     "ssh -Q PubkeyAcceptedAlgorithms"
+#
 PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
-{% else %}
-#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
 {% endif %}

-
 # KexAlgorithms
 #
 # Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
@ -262,6 +278,7 @@ PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
 #
 # The default is:
 #
+#       sntrup761x25519-sha512@openssh.com,
 #       curve25519-sha256,curve25519-sha256@libssh.org,
 #       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 #       diffie-hellman-group-exchange-sha256,
@ -377,9 +394,9 @@ HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
 # Logging
 #-----------------------------

-# Gives the facility code that is used when logging messages from sshd(8).  
-# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
-# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
+# Gives the facility code that is used when logging messages from sshd(8).
+# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 # The default is AUTH.
 SyslogFacility AUTH

@ -403,9 +420,9 @@ DebianBanner no
 # By default, no banner is displayed.
 #Banner /etc/issue.net

-# Specifies whether sshd(8) should print /etc/motd when a user logs in 
-# interactively. (On some systems it is also printed by the shell, 
-# /etc/profile, or equivalent.)  
+# Specifies whether sshd(8) should print /etc/motd when a user logs in
+# interactively. (On some systems it is also printed by the shell,
+# /etc/profile, or equivalent.)
 # The default is “yes”.
 PrintMotd {{ sshd_print_motd }}

@ -432,12 +449,12 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # The default is 'yes'.
 UseDNS {{ sshd_use_dns }}

-# Specifies whether X11 forwarding is permitted. The argument must be 
+# Specifies whether X11 forwarding is permitted. The argument must be
 # “yes” or “no”. See sshd_config(5) for further expalnation
 # The default is “no”.
 #X11Forwarding yes

-# Specifies the first display number available for sshd(8)'s X11 
+# Specifies the first display number available for sshd(8)'s X11
 # forwarding. This prevents sshd from interfering with real X11 servers.
 # The default is 10.
 X11DisplayOffset 10
@ -450,12 +467,12 @@ X11DisplayOffset 10
 # sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
-# The default is “yes” (to send TCP keepalive messages), and the server 
-# will notice if the network goes down or the client host crashes. This 
+# The default is “yes” (to send TCP keepalive messages), and the server
+# will notice if the network goes down or the client host crashes. This
 # avoids infinitely hanging sessions.
 TCPKeepAlive yes

-#Specifies whether sshd(8) should print the date and time of the last 
+#Specifies whether sshd(8) should print the date and time of the last
 # user login when a user logs in interactively.
 # The default is “yes”.
 PrintLastLog yes