From 5ab88dc387e684a544e0812b5d077648aa4cfc07 Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Wed, 19 Jul 2023 15:41:27 -0500 Subject: [PATCH] Updating some SSH config --- precommit-hooks/find-passwords-in-files | 4 +- roles/SSH/files/ssh_config | 57 +++++-------------------- roles/SSH/files/ssh_known_hosts | 43 +++++++++++++++++++ roles/SSH/files/sshd_config | 1 + roles/SSH/tasks/main.yml | 6 +++ 5 files changed, 63 insertions(+), 48 deletions(-) create mode 100644 roles/SSH/files/ssh_known_hosts diff --git a/precommit-hooks/find-passwords-in-files b/precommit-hooks/find-passwords-in-files index 5260d58..e6bf696 100644 --- a/precommit-hooks/find-passwords-in-files +++ b/precommit-hooks/find-passwords-in-files @@ -18,8 +18,10 @@ saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$' saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass' # Ignore IRC Modules saferegex="$saferegex"'|m_password_hash.so|/quote ns identify|SELECT|password_attribute|SET PASS|SASET PASS' +# Ignore SSH known hosts +saferegex="$saferegex""|ssh_known_hosts:|" -grep -irE 'secret|password|pw|passphrase|pass=' roles/*/{files,templates} 2>&1 | grep -vE "$saferegex" +git ls-files roles/*/{files,templates} | xargs grep -irE 'secret|password|pw|passphrase|pass=' | grep -vE "$saferegex" if [ $? -ne 1 ]; then echo echo If these are false positives, you need to add the signature to the whitelist in $0. diff --git a/roles/SSH/files/ssh_config b/roles/SSH/files/ssh_config index 716ed9e..50a34d5 100644 --- a/roles/SSH/files/ssh_config +++ b/roles/SSH/files/ssh_config @@ -1,50 +1,13 @@ -# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -# Host * -# ForwardAgent no +# man 5 ssh_config ForwardX11 yes ForwardX11Trusted yes -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com -UseRoaming no +CanonicalizeHostname yes +CanonicalDomains msn0.aninix.net +Compression yes +ServerAliveInterval 60 +ServerAliveCountMax 5 +TCPKeepAlive yes +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com + # fix for CVE-2016-0777 +# UseRoaming no diff --git a/roles/SSH/files/ssh_known_hosts b/roles/SSH/files/ssh_known_hosts new file mode 100644 index 0000000..2d236a1 --- /dev/null +++ b/roles/SSH/files/ssh_known_hosts @@ -0,0 +1,43 @@ +### AniNIX +# AniNIX.net +147.219.175.219,foundation.aninix.net,aninix.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlUR05R8xcOgb+5p++xQ4hN8aVgyfaRn2bGDfIJleS1 +147.219.175.219,foundation.aninix.net,aninix.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtuJX5ShWmFFpPVubWTsp0uPcF8hFCqh+epZxoAlKZz5F+EedT9yzU67pttQmEpLCVGFqVQUwFHyN2ww/w0k9fDZ8Bdn7/Bn9LsUQtzeyeJWwiHTNS6IEKw8SMg2ifTCvGBevV7cuFMwFJ/b7iKjfaVhsZ5sPUpbG9c88rwX29FoUkghHDod9St1hoKtqbRARjhJ5p2BnzmvQeT5zwsPqLUh+5mbtoo3nLKQqudYQCIhkTWVArwfASSbdsb+xCQEnTF2D2lf6Bp+xp9DADsCu8I1NyY+cOsXGAWSXJSMHWJ6QF5SfVTqjCbNFiGe4qX9H+WdGVY6Bvbt4bTJPuoUX9 +# Shadowfeed.MSN0.AniNIX.net:6022 +[10.0.1.1]:6022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7qREh5sVlKy52UumXEayNYufFHxGgil2uRn8sA/LBq +# Nazara.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1 +nazara.msn0.aninix.net,nazara,10.0.1.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4QJO1FOhCwGaYPVdpsu4gfADQ0DFG+21MKxG9lKSCS +nazara.msn0.aninix.net,nazara,10.0.1.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDb04V2FUnzMV5SCGUV5S7ZvlZfbsOVA3RUk/BDWlzfnUR5pwHAxBJ+vFGaNPiD376zuOj6T0L2voHCwY9pchdlMGCTON4n6FQNWRm3fBoivyfDgfTryNykbRGe9O/rjgl7Y01tYPit4butwqycUmzsuXpXx29TUgRHdmRL/OjcuDonW/MYzgn9GSN26Q4BMI6OXaMwuE3R/mvh8XxmMffK+alXNSonnPxviV60FkESGiBjdj1TiWYJ1i9gsjNbPWks6iW+H4w1DAbGWLajYMvkzgvRpPXMIDMYRUuQyT/cGFocYp98IB8Q4OF2VhRujisqYGphrD0YhjGBRMrwiDMwgMAYvsvGeNvvkRZJ4kVELM99obPdR/ADru/mDu2ZO5Q1AjO4Wr3Vllf9gJPEPRt8PJi2b0BC9mb0xnQ7xGb8cy6DqjJ8R1sJ1TqovYHCW+gC5VexA1k0hzG6btNZGAx6FB4CM2a57zJwkuEOKfRFHFtaKB11sOj3QpPIhITSYek= +[147.219.8.116]:21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4QJO1FOhCwGaYPVdpsu4gfADQ0DFG+21MKxG9lKSCS +# Core.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.8 +core.msn0.aninix.net,core,10.0.1.3 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlUR05R8xcOgb+5p++xQ4hN8aVgyfaRn2bGDfIJleS1 +core.msn0.aninix.net,core,10.0.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtuJX5ShWmFFpPVubWTsp0uPcF8hFCqh+epZxoAlKZz5F+EedT9yzU67pttQmEpLCVGFqVQUwFHyN2ww/w0k9fDZ8Bdn7/Bn9LsUQtzeyeJWwiHTNS6IEKw8SMg2ifTCvGBevV7cuFMwFJ/b7iKjfaVhsZ5sPUpbG9c88rwX29FoUkghHDod9St1hoKtqbRARjhJ5p2BnzmvQeT5zwsPqLUh+5mbtoo3nLKQqudYQCIhkTWVArwfASSbdsb+xCQEnTF2D2lf6Bp+xp9DADsCu8I1NyY+cOsXGAWSXJSMHWJ6QF5SfVTqjCbNFiGe4qX9H+WdGVY6Bvbt4bTJPuoUX9 +# Node0.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.5 +node0.msn0.aninix.net,node0,10.0.1.4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByPH4xBtfbG1sWBThjzeB/41wIiG8VElMJt6Tt7gj3Q +node0.msn0.aninix.net,node0,10.0.1.4 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkqvIkK1+qO/SllXv87HCjl4FKJvZ5D1ultL60msq4PFRKQQowHGRbLC32boqXzSPPi4nfx7oEqTiziqDE2noYpvt4FQehOsmwcXujW1QuCL4WC+WZLsMT7vxDxEXME9GMTFdFQY6XiNY4QfVj9jtQQ0OW8s7VHz8Cik4QAlSIJhUyDug8JaFRpB/p4l2BBYW2TpdMEZnhF3Avhr+gMmxArtEUHFpwfKViGJv3PEdoTI9coftiIELBS18l0aNlXHgjMxGG52TXMtxihHlKUTx+KJGWgh29n7RAlLIZ2XU1nq7FuXdG1DT7SdThqPryQ6yjgnF9DMvTj8FfUtcc+HpMGyGk1EvKZzjw00XPoM5P3T97Cox2YmzWwab74mtRWhBV55sAaRSSqCLzxcELjTokZ9zkTXAWDytkJzy3odD3dISjUOlLLPNfghT7kAK71HN7NL0pyH7u8XzIKY/dLH26gbxIs1IXux9QM9zBDVtQODSWaoyBS0W44FiOwdbubJU= +# Sharingan.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.5 +sharingan.msn0.aninix.net,sharingan,10.0.1.16 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHWiEtEMgosZv/LFNjY7ebFVdsEXrkPmdJHSC8sbaD5 +sharingan.msn0.aninix.net,sharingan,10.0.1.16 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTw9KTB/u3h8z6JFon7C3Wex5Vn9ghTUjacuEZvGJymjPt8GMiCS/b4epBibdbYq3bastnJA/AA2m++bo3PZZPgo8VVCVuRvblpsDHkNcYtdjI/bdsVlaHYLcm/yh7R+s6mKULeFE1GdaPGBTl/Mu1UOrFPmPG/yRvA7moTz9+0m7YS1/4isWI8kXH/A4eoGk5VpLDqwQDiDYKCyI15Z1T+GSn5tF1iBgCI90CoztHyrrQa5LSqsBtUi7J3YVtG395lTIga+QjJcU8HMaGwdhtRe57LnSDPSAZLKXdWHk1+nDrwrdnqGfvLO6MJGN3OaeT/aOo6srFhJSVG3SAvaksvaDkunie0fLnXoVheTZ2BAB7nUwbU8F301c69TMkvietmzWrXK2IPNL/areLfUT3gROXdzJp9jqFz3Tht6i1wyQNOvrAsJyriLmCzqGtNjEMTHbzs/Ld/eMzgsmLsD6jV09wTithjnOgJEpdUEbbl8EDmXcgeoElKtwffDmBrc= +# DarkNet.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.5 +darknet.msn0.aninix.net,darknet,10.0.1.17 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJUs68uQdOc5vRxnWZAd6DRRFLrZyqQi2gdx7QuzwZH +darknet.msn0.aninix.net,darknet,10.0.1.17 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmfOvKeJa7SKZ8hDzEAu3tM7VjOoj64d1wMKxmXuHcOVOG2pOyGNCrutBhj4CXsNHtU1liOF8QAIG0bQJ7K+JLU1BSsQ4kuV/Nn99hmW3A6yzZN+FuhvdiWMb+kS7VM7OjDZ71RmOqCsJJsJVAsoFZIWxbzk9Zom4bvoEgERe5P0jeYzoXJsBbeR+t6zCWTVNMTDYWNXY0u+E9YZv8gpUrzlgJltXmperq79DjtigemX4+D2hiQ72xL8beNbRko/s4qOLk8VyUfb012XB6QyvqPH6CWM5L74MhAnUJmfp7uWUIaUO5eUB3WUNDiMfIGoLwR4d/q1tGpbIgGNfeksIZ +# Maat.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.8 +maat.msn0.aninix.net,maat,10.0.1.18 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoF3EiL06w+VQNYUxrNH0VBAUsaqnswpGEe4NolLvIZ +maat.msn0.aninix.net,maat,10.0.1.18 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxiY6BE9ThRhGR6EJUPpvs/pnlKY00FkRtrYgemqaoJ4CeJAv+zldJMdEEUDaw2litWuFaA3mFiUtwjhwtHYBGFB71PHrwkxjona/H9dnUGiTb1yZhQ0amRg6qqY1oiQ2+X5MvBimsADIEnpCjce3pO+R1d2bHZgCMAr5O7M700pdboM4i0nTsMjHBIdJ73hmq9A47liw3/7lEofX19ahL+Z2Jog1lHE7CszlnCae7XWwkU3DppGmn597uKuBaiqrq1mzI9B0cjdsQLUJ9CVNy5iA7qttwy/DQZtmVgpUrL9U10PaD4zlyYtm4CiFEV1EdA1JuzCrsBc4TjI6r6cGPIniL20IAu5Ud2SFg4IzFVa4SIuCCFO6xE2+y6tBPn9U2bUUqqLnFRSkoLarXTCEu2xqlAWj2krvxneo1B4vkPov4HhB9sF/nxNdWGdpcU06X1JrndbCRUEJYmsZekaMfdsrJ4oso3le3yptQDMo5wcRWfKNBUSaFl8/fFRdsDYc= +# DedNet.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.8 +dednet.msn0.aninix.net,dednet,10.0.1.52 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfz42IEWihRkfxGjdp80hUaWbCt+f4jD2cN+KxxQNYb +dednet.msn0.aninix.net,dednet,10.0.1.52 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9AJF9tnic4frwdNI6/sSxlfAOfghjbG/b30qHSAdFh4ktVB6NWPS6SVf/zUsg+8K02tZXOFBKR5JAQO0KCVI20Vig/WPOM6pwc/UIvRqWioAoR97jDPJBauZKdULdwVDQE4jfvJv969QfJNhy//bsH66JzyPVdGqQaDO4UGR0+QY3aBeLgptAh2+zMrMuk4pGjxsngV0udKsoKY/k//gIZprSal39cBwO6/htD0sdmua2T/Io6L6V9jlRxHbqQD2TkXNAe+dgJ1hEJa+41Ahunhkba4xcy3siXYCnQk9K5zk1xZmFPNGDSLlPHbAUmsSUAAc75aoV32XMLKb9KCH +# Geth-Hub-1.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 +geth-hub-1.msn0.aninix.net,geth-hub-1,10.0.1.32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHc2LkiAHfRXB2j5dHvQQctPrRaL5EHxtcY0+GnKsGtV +geth-hub-1.msn0.aninix.net,geth-hub-1,10.0.1.32 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGWZ+4SPBIuWtzaicM7bdxTcadH+m2390O06CP3B56vvlFwXQCztqVGL3UPhQEpbfJtZkipPWN2sjNWHmzQ1LCQ= +# Geth-Hub-2.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 +geth-hub-2.msn0.aninix.net,geth-hub-2,10.0.1.33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAWCCPeMydz3Ge++Uu+a189FtsCK6CLvPsqxlPQupGM +geth-hub-2.msn0.aninix.net,geth-hub-2,10.0.1.33 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLolkWL+a6oAHcgHQ2nROoVwC0WBBzYLL9nZJ8wIslsepCy2H8hSjnrgQ5sNMQBKOe5ToOrmP3YfXVgonpC4sAc= +# Geth-Hub-3.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1 +geth-hub-3.msn0.aninix.net,geth-hub-3,10.0.1.34 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4odSWjWwTUCMOVtHwCQIboz4B6Myv78Z/qqpGtZ1Ow +geth-hub-3.msn0.aninix.net,geth-hub-3,10.0.1.34 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC51Fj5BPwQUfMMAktbp4Xxly1m7KSjadG4SoJ2WmtN4ipFCWBdZgrTTvIDwDE/F3UuSiV/8nqbfL/Hu0ZNeLlVFtslVJ+L83S/DE9D83yydOJrg8gMK6/D4Kmc+BWmijoZzlpEOwu6YXqTf9d91cYFKLjleTcInCkqHqPikI119IScOqYJbgUTo2RQRmmja+TLn/usWo58kqLlSH058bIfsnHzjwC65W7zBDORWcoK6uX4JQwITrucEf5ipooNMU83pHp7kWT2w2bTsq2oUPwXTOgzquMD5oOCsxf9jKXh9uj1llb8+hAaQuGnRidM0ZN9Jk7s/ou3IOISzq0OHJX5XN1r+IIOL/pPO0FpMFsKpNLdDx+xod9wj1qsZqW0S7bMBnr6QTvGw38psls92PraFiEZi9voC4ShwtZMcADFn9+Mat2FhfIJTmFbGNRez8xZnVMeXCnaTVZvv/MwzeSNpv3daijprbVY/lFgv5Fib5B1bx3lBTDwSPsY5/2nETE= +# DedSec.MSN0.AniNIX.net:22 +dedsec.msn0.aninix.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfz42IEWihRkfxGjdp80hUaWbCt+f4jD2cN+KxxQNYb +# Tachikoma.MSDN0.aninix.net +tachikoma.msn0.aninix.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP94+yPnzTF0imO3l2eKBzuNR+U8iABkzGgvFpv4udJd +tachikoma.msn0.aninix.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPO+k25FnFlNJOhD419pwX6U6Xt9HrGXxN2jNrUvRBX3ZeuQEXQYx/oZ3c2t4D3nM28/QrNfE9vZ9lt7XorpafU= +tachikoma ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP94+yPnzTF0imO3l2eKBzuNR+U8iABkzGgvFpv4udJd diff --git a/roles/SSH/files/sshd_config b/roles/SSH/files/sshd_config index d17e142..463760a 100644 --- a/roles/SSH/files/sshd_config +++ b/roles/SSH/files/sshd_config @@ -8,6 +8,7 @@ PrintLastLog yes StrictModes yes Protocol 2 ChrootDirectory none +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys # RSA and ED25519 are stable. diff --git a/roles/SSH/tasks/main.yml b/roles/SSH/tasks/main.yml index 044050e..15ee518 100644 --- a/roles/SSH/tasks/main.yml +++ b/roles/SSH/tasks/main.yml @@ -57,6 +57,12 @@ src: ssh_config dest: /etc/ssh/ssh_config + - name: Known hosts + become: yes + copy: + src: ssh_known_hosts + dest: /etc/ssh/ssh_known_hosts + - name: SSHD Config become: yes register: sshd_config