Ensure that ssh is installed (dev-sec#774)

Signed-off-by: Sevan Murriguian-Watrin <[email protected]>
Signed-off-by: James Miller <[email protected]>

Author: Byh0ki

roles/ssh_hardening/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
+
 # true if IPv6 is needed
 network_ipv6_enable: true # sshd + ssh
 

roles/ssh_hardening/tasks/disable-systemd-socket.yml

@@ -10,9 +10,3 @@
     state: stopped
     enabled: false
     masked: true
-
-- name: Enable normal sshd start
-  ansible.builtin.systemd:
-    name: ssh.service
-    state: started
-    enabled: true

roles/ssh_hardening/tasks/hardening.yml

@@ -22,6 +22,9 @@
   with_dict: "{{ os_vars }}"
   tags: always
 
+- name: Install openssh package and configure the service
+  ansible.builtin.include_tasks: install.yml
+
 - name: Get openssh-version
   ansible.builtin.command: ssh -V
   register: sshd_version_raw
@@ -32,15 +35,6 @@
   ansible.builtin.set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
-# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
-- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
-  ansible.builtin.include_tasks: disable-systemd-socket.yml
-  when:
-    - ssh_server_hardening | bool
-    - ssh_server_enabled | bool
-    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
-      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
-
 - name: Set default for ssh_host_key_files if not supplied
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when:

roles/ssh_hardening/tasks/install.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Install openssh package(s)
+  ansible.builtin.package:
+    name: "{{ pkg }}"
+    state: present
+  loop: "{{ ssh_pkgs }}"
+  loop_control:
+    loop_var: pkg
+
+# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
+- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
+  ansible.builtin.include_tasks: disable-systemd-socket.yml
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
+      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+
+- name: Enable or disable sshd service
+  ansible.builtin.service:
+    name: "{{ sshd_service_name }}"
+    enabled: "{{ ssh_server_service_enabled }}"

roles/ssh_hardening/vars/Amazon_2.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/Archlinux.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/Debian.yml

@@ -1,4 +1,7 @@
 ---
+ssh_pkgs:
+  - openssh-server
+  - openssh-client
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: ssh

roles/ssh_hardening/vars/Fedora.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/Fedora_37.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/FreeBSD.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh-portable
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/OpenBSD.yml

@@ -1,4 +1,8 @@
 ---
+# It seems that OpenBSD comes with openssh in the base install so we can't
+# really install it as a separated package. Feel free to patch this if it's
+# not the expected way to handle that on OpenBSD
+ssh_pkgs: []
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/RedHat.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/RedHat_9.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/SmartOS.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/lib/ssh/sshd
 ssh_host_keys_dir: /var/ssh
 sshd_service_name: ssh

roles/ssh_hardening/vars/Suse.yml

@@ -1,4 +1,6 @@
 ---
+ssh_pkgs:
+  - openssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd

roles/ssh_hardening/vars/main.yml

@@ -1,4 +1,5 @@
 ---
+
 ssh_macs_53_default:
   - hmac-ripemd160
   - hmac-sha1