feat(ssh): add alpine support (dev-sec#809)

Signed-off-by: Sebastian Gumprich <[email protected]>
Signed-off-by: James Miller <[email protected]>

Author: rndmh3ro

.github/workflows/ssh_hardening.yml

@@ -35,6 +35,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        include:
+          # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
+          # - molecule_distro: opensuse_tumbleweed
+          #   molecule_docker_command: "/usr/lib/systemd/systemd"
+          - molecule_distro: alpine
+            molecule_docker_command: "/sbin/init"
+        molecule_docker_command:
+          - "/lib/systemd/systemd"
         molecule_distro:
           - centosstream9
           - rocky8
@@ -48,7 +56,6 @@ jobs:
           - debian12
           - amazon2023
           - arch
-          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -76,11 +83,9 @@ jobs:
 
       - name: Test with molecule
         run: |
-          if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
-            export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd"
-          fi
           molecule --version
           molecule test -s ssh_hardening
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+          MOLECULE_DOCKER_COMMAND: ${{ matrix.molecule_docker_command }}
         working-directory: ansible_collections/devsec/hardening

.github/workflows/ssh_hardening_custom_tests.yml

@@ -35,6 +35,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        include:
+          # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
+          # - molecule_distro: opensuse_tumbleweed
+          #   molecule_docker_command: "/usr/lib/systemd/systemd"
+          - molecule_distro: alpine
+            molecule_docker_command: "/sbin/init"
+        molecule_docker_command:
+          - "/lib/systemd/systemd"
         molecule_distro:
           - centosstream9
           - rocky8
@@ -48,7 +56,6 @@ jobs:
           - debian12
           - amazon2023
           - arch
-          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -76,11 +83,9 @@ jobs:
 
       - name: Test with molecule
         run: |
-          if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
-            export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd"
-          fi
           molecule --version
           molecule test -s ssh_hardening_custom_tests
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+          MOLECULE_DOCKER_COMMAND: ${{ matrix.molecule_docker_command }}
         working-directory: ansible_collections/devsec/hardening

molecule/ssh_hardening/prepare.yml

@@ -1,5 +1,5 @@
 ---
-- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: Prepare the molecule container for the role
   hosts: all
   become: true
   environment:
@@ -53,6 +53,14 @@
           - openssh
       when: ansible_facts.os_family == 'Suse'
 
+    - name: Install required tools on Alpine
+      community.general.apk:
+        name:
+          - openssh
+        state: present
+        update_cache: true
+      when: ansible_facts.os_family == 'Alpine'
+
     - name: Install required tools on Arch
       community.general.pacman:
         name:

molecule/ssh_hardening_custom_tests/prepare.yml

@@ -62,6 +62,14 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
+    - name: Install required tools on Alpine
+      community.general.apk:
+        name:
+          - openssh
+        state: present
+        update_cache: true
+      when: ansible_facts.os_family == 'Alpine'
+
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')

roles/ssh_hardening/README.md

@@ -52,6 +52,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - focal, jammy, noble
 - Debian
   - bookworm, bullseye
+- Alpine
 - Amazon
 - Fedora
 - ArchLinux

roles/ssh_hardening/meta/main.yml

@@ -19,6 +19,7 @@ galaxy_info:
       versions:
         - bookworm
         - bullseye
+    - name: Alpine
     - name: Amazon
     - name: Fedora
     - name: ArchLinux

roles/ssh_hardening/vars/Alpine.yml

@@ -0,0 +1,23 @@
+---
+ssh_pkgs:
+  - openssh
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: /etc/ssh
+sshd_service_name: sshd
+ssh_owner: root
+ssh_group: root
+ssh_host_keys_owner: root
+ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: /etc/ssh/moduli
+
+# CRYPTO_POLICY is not supported on Archlinux
+# and the package check only works in Ansible >2.10
+sshd_disable_crypto_policy: false