Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

rework CRYPTO_POLICY handling for fedora #314

Merged
merged 4 commits into from
Jul 22, 2020
Merged

rework CRYPTO_POLICY handling for fedora #314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a7e0bbf
rework CRYPTO_POLICY handling for fedora
schurzi Jul 22, 2020
a132a5a
improve tasks for CRYPTO_POLICY
schurzi Jul 22, 2020
84a8837
add exception for Archlinux
schurzi Jul 22, 2020
dcffdbc
swap conditions
schurzi Jul 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .kitchen.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ platforms:
image: rndmh3ro/docker-fedora-ansible:latest
platform: centos
provision_command:
- dnf install -y python
- dnf install -y python procps-ng
- sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service

Expand Down
17 changes: 17 additions & 0 deletions files/sshd
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Configuration file for the sshd service.

# The server keys are automatically generated if they are missing.
# To change the automatic creation, adjust sshd.service options for
# example using systemctl enable [email protected] to allow creation
# of DSA key or systemctl mask [email protected] to disable RSA key
# creation.

# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1

# System-wide crypto policy:
# To opt-out, uncomment the following line
CRYPTO_POLICY=
20 changes: 12 additions & 8 deletions tasks/hardening.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,16 @@
include_tasks: selinux.yml
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"

- name: disable system CRYPTO_POLICY for RHEL8+
lineinfile:
path: /etc/sysconfig/sshd
regexp: 'CRYPTO_POLICY='
line: CRYPTO_POLICY=
- name: gather package facts
package_facts:
check_mode: no
when:
- sshd_disable_crypto_policy | bool

- name: disable SSH server CRYPTO_POLICY
copy:
src: sshd
dest: /etc/sysconfig/sshd
when:
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
- ansible_facts.distribution_version is version('8.0', '>=')
- sshd_disable_crypto_policy | bool
- sshd_disable_crypto_policy | bool
- ('crypto-policies' in ansible_facts.packages)
1 change: 1 addition & 0 deletions tests/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
name:
- openssh-clients
- openssh-server
- procps-ng
state: present
update_cache: true
ignore_errors: true
Expand Down
1 change: 1 addition & 0 deletions tests/default_custom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
name:
- openssh-clients
- openssh-server
- procps-ng
state: present
update_cache: true
ignore_errors: true
Expand Down
6 changes: 5 additions & 1 deletion vars/Archlinux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_group: root

# CRYPTO_POLICY is not supported on Archlinux
# and the package check only works in Ansible >2.10
sshd_disable_crypto_policy: false