Attention: This role has been migrated to our hardening-collection:
Please open any issues and pull requests there!
ssh_listen_tomust also be set to listen to IPv6 addresses (for example
yesto enable root-login
'no'to disable TCP Forwarding. Set to
'yes'to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify
'no'should be passed with quotes.
falseto disable binding forwarded ports to non-loopback addresses. Set to
trueto force binding on wildcard address. Set to
clientspecifiedto allow the client to specify which address to bind to.
default_custom.ymlfor all options. Only used if
trueto allow password-based authentication with the ssh client
trueto allow password-based authentication with the ssh server
trueto print a banner on login
falseto stop harden the client
trueto print debian specific banner
falseto disable the opensshd server
falseto stop harden the server
yesto specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings
If you want to configure ssh options that are not listed above, you can use
/etc/ssh/sshd_config) to set them. These options will be set on the beginning of the file so you can override options further down in the file.
- hosts: localhost roles: - dev-sec.ssh-hardening vars: ssh_custom_options: - "Include /etc/ssh/ssh_config.d/*" sshd_custom_options: - "AcceptEnv LANG"
This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default
ssh port is changed via
ssh_server_ports, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port.
If idempotency is important, please consider using role
ssh-hardening-fallback, which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
- hosts: localhost roles: - dev-sec.ssh-hardening
The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See Get started for a Docker package suitable to for your system.
You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use
test-kitchen. If you are not familiar with
test-kitchen please have a look at their guide.
Next install test-kitchen:
# Install dependencies gem install bundler bundle install
# fast test on one machine bundle exec kitchen test ssh-ubuntu1804-ansible-latest # test on all machines bundle exec kitchen test # for development bundle exec kitchen create ssh-ubuntu1804-ansible-latest bundle exec kitchen converge ssh-ubuntu1804-ansible-latest bundle exec kitchen verify ssh-ubuntu1804-ansible-latest # cleanup bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest
# fast test on one machine KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804 # test on all machines KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test # for development KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804 KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804
For more information see test-kitchen
I can't log into my account. I have registered the client key, but it still doesn't let me it.
If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:
sudo grep myuser /etc/shadow
If the hash includes an
!, your account is locked:
The proper way to solve this is to unlock the account (
passwd -u myuser). If the user doesn't have a password, you should can unlock it via:
usermod -p "*" myuser
Alternatively, if you intend to use PAM, you enabled it via
ssh_use_pam: true. PAM will allow locked users to get in with keys.
Why doesn't my application connect via SSH anymore?
Always look into log files first and if possible look at the negotiation between client and server that is completed when connecting.
We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
After using the role Ansibles template/copy/file module does not work anymore!
This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set
scp_if_ssh = True in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting
Cannot restart sshd-service due to lack of privileges
If you get the following error when running handler "restart sshd"
Unable to restart service ssh: Failed to restart ssh.service: Access denied
failure 1 running systemctl show for 'ssh': Failed to connect to bus: No such file or directory
either run the playbook as
become: yes at the playbook level), or add
become: yes to the handler.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.