Fixing several issues - maintenance.

.devcontainer/devcontainer.json

@@ -8,18 +8,8 @@
     "customizations": {
         "vscode": {
           "settings": {
-            "python.pythonPath": "/usr/local/bin/python",
-            "python.linting.enabled": true,
-            "python.linting.pylintEnabled": true,
-            "python.formatting.autopep8Path": "/usr/local/py-utils/bin/autopep8",
-            "python.formatting.blackPath": "/usr/local/py-utils/bin/black",
-            "python.formatting.yapfPath": "/usr/local/py-utils/bin/yapf",
-            "python.linting.banditPath": "/usr/local/py-utils/bin/bandit",
-            "python.linting.flake8Path": "/usr/local/py-utils/bin/flake8",
-            "python.linting.mypyPath": "/usr/local/py-utils/bin/mypy",
-            "python.linting.pycodestylePath": "/usr/local/py-utils/bin/pycodestyle",
-            "python.linting.pydocstylePath": "/usr/local/py-utils/bin/pydocstyle",
-            "python.linting.pylintPath": "/usr/local/py-utils/bin/pylint"
+            "python.pythonPath": "/usr/local/bin/python"
+
           },
           "extensions": [
               "redhat.ansible",
@@ -41,6 +31,5 @@
     "ghcr.io/devcontainers-contrib/features/curl-apt-get:1": {},
     "ghcr.io/eitsupi/devcontainer-features/jq-likes:1": {}
   },
-  "forwardPorts": [2258],
   "remoteUser": "root"
 }

.vscode/extensions.json

@@ -2,12 +2,6 @@
     "recommendations": [
       "redhat.ansible",
       "ms-python.python",
-      "ms-python.pylint",
-      "ms-vscode.test-adapter-converter",
-      "hbenl.vscode-test-explorer",
-      "littlefoxteam.vscode-python-test-adapter",
-      "timonwong.shellcheck",
-      "davidanson.vscode-markdownlint",
-      "eamodio.gitlens"
+      "timonwong.shellcheck"
     ]
 }

.yamllint

@@ -9,6 +9,9 @@ rules:
   brackets:
     max-spaces-inside: 1
     level: error
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
   indentation:
     indent-sequences: consistent
     spaces: 2
@@ -20,6 +23,9 @@ rules:
   new-line-at-end-of-file: enable
   new-lines:
     type: unix
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
   trailing-spaces: enable
   truthy:
     allowed-values: ['true', 'false']

handlers/main.yml

@@ -27,4 +27,5 @@
 - name: Update crypto policies
   ansible.builtin.command: update-crypto-policies
   notify: Restart sshd
+  changed_when: true
 ...

molecule/almalinux8/molecule.yml

@@ -11,8 +11,11 @@ lint: |
   flake8
 platforms:
   - name: ssh-almalinux8
-    image: almalinux:8
+    image: dokken/almalinux-8
+    pre_build_image: true
     command: /sbin/init
+    privileged: true
+    cgroupns_mode: host
     capabilities:
       - CAP_NET_BIND_SERVICE
     published_ports:
@@ -22,10 +25,12 @@ platforms:
       - /tmp
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /var/lib/containerd
 provisioner:
   name: ansible
   config_options:
     defaults:
+      callbacks_enabled: profile_tasks, timer
       stdout_callback: yaml
       executable: /bin/bash
   playbooks:

molecule/resources/playbooks/converge.yml

@@ -4,10 +4,10 @@
   hosts: all
 
   vars:
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+    this_role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
 
   tasks:
-    - name: "Include {{ role_name }}"
+    - name: "Include {{ this_role }}"
       ansible.builtin.include_role:
-        name: "{{ role_name }}"
+        name: "{{ this_role }}"
 ...

molecule/resources/playbooks/verify.yml

@@ -4,11 +4,11 @@
   hosts: all
 
   vars:
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+    this_role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
 
   tasks:
-    - name: "Include {{ role_name }}"
+    - name: "Include {{ this_role }}"
       ansible.builtin.include_role:
-        name: "{{ role_name }}"
+        name: "{{ this_role }}"
         tasks_from: verify
 ...

tasks/Debian11.yml

@@ -7,17 +7,15 @@
     line: "{{ item.line }}"
     state: present
     create: true
-    mode: 0640
+    mode: '0640'
   loop:
     - regexp: '^(#)?Ciphers'
-      line: "Ciphers {{ Ciphers }}"
+      line: "Ciphers {{ ciphers }}"
     - regexp: '^(#)?HostKeyAlgorithms'
-      line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
+      line: "HostKeyAlgorithms {{ host_key_algorithms }}"
     - regexp: '^(#)?KexAlgorithms'
-      line: "KexAlgorithms {{ KexAlgorithms }}"
+      line: "KexAlgorithms {{ kex_algorithms }}"
     - regexp: '^(#)?MACs'
-      line: "MACs {{ MACs }}"
-      # - regexp: '^(#)?PubkeyAcceptedKeyTypes'
-      #  line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
+      line: "MACs {{ macs }}"
   notify: Restart sshd
 ...

tasks/crypto_policy.yml

@@ -19,9 +19,9 @@
     dest: /usr/share/crypto-policies/policies/
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
 
-- name: "Ensure {{ crypto_policy }} policy is configured"
+- name: "Ensure crypto-policy {{ crypto_policy }}"
   when: current_policy.stdout != crypto_policy
   ansible.builtin.command: "update-crypto-policies --set {{ crypto_policy }}"
   changed_when: true
@@ -36,13 +36,13 @@
   ansible.builtin.copy:
     dest: /etc/profile.d/cc-ssh-strong-rng.sh
     content: "export SSH_USE_STRONG_RNG=32\n"
-    mode: 0644
+    mode: '0644'
 
 - name: SSH client uses strong entropy to seed (for CSH like shells)
   ansible.builtin.copy:
     dest: /etc/profile.d/cc-ssh-strong-rng.csh
     content: "setenv SSH_USE_STRONG_RNG 32\n"
-    mode: 0644
+    mode: '0644'
 
 - name: Remove RekeyLimit from ssh_config
   ansible.builtin.lineinfile:
@@ -57,5 +57,6 @@
     regexp: '^(#)?RekeyLimit'
     line: 'RekeyLimit 1G 1h'
     state: present
+    mode: '0644'
 
 ...

tasks/main.yml

@@ -3,6 +3,9 @@
 - name: Setup
   ansible.builtin.setup:
 
+- name: List packages
+  ansible.builtin.package_facts:
+
 - name: Print out operating system details
   ansible.builtin.debug:
     msg: >-
@@ -15,7 +18,14 @@
   ansible.builtin.set_fact:
     distro_version: "{{ ansible_distribution }}{{ ansible_distribution_major_version }}"
 
+- name: Update GPG keys
+  when: ansible_distribution == 'AlmaLinux'
+  ansible.builtin.package:
+    name: almalinux-release
+    state: latest
+
 - name: Install SSH server
+  when: "'openssh-server' not in ansible_facts.packages"
   ansible.builtin.package:
     name: openssh-server
     state: present
@@ -26,13 +36,13 @@
   ansible.builtin.file:
     path: /run/sshd
     state: directory
-    mode: 0750
+    mode: '0750'
 
-- name: "Fedora {{ crypto_policy }} crypto policy"
+- name: "Fedora crypto-policy {{ crypto_policy }}"
   when: ansible_distribution == 'Fedora'
   ansible.builtin.include_tasks: crypto_policy.yml
 
-- name: "Update {{ crypto_policy }} crypto policy"
+- name: "Update crypto-policy {{ crypto_policy }}"
   when: distro_version in [ 'RedHat8', 'CentOS8', 'AlmaLinux8', 'Ubuntu20', 'Rocky8']
   ansible.builtin.include_tasks: crypto_policy.yml
 
@@ -45,6 +55,7 @@
 - name: Deactivate short Diffie-Hellman moduli
   when: sshd_register_moduli.stdout
   ansible.builtin.shell: "awk '$5 >= {{ min_dh_size }}' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv -f /etc/ssh/moduli.tmp /etc/ssh/moduli"
+  changed_when: sshd_register_moduli.stdout
 
 - name: Harden SSH configuration
   ansible.builtin.lineinfile:
@@ -93,15 +104,16 @@
   ansible.builtin.copy:
     src: issue
     dest: /etc/issue
-    mode: 0644
+    mode: '0644'
 
 - name: Create login banner
   ansible.builtin.copy:
     src: issue
     dest: /etc/issue.net
-    mode: 0644
+    mode: '0644'
 
 - name: Manage ed25519 host key
+  when: crypto_policy == 'STRICT'
   block:
     - name: Check the ed25519 host key
       ansible.builtin.stat:
@@ -121,31 +133,30 @@
     - name: Set host key permissions
       ansible.builtin.file:
         path: /etc/ssh/ssh_host_ed25519_key
-        mode: 0600
+        mode: '0600'
 
     - name: Configure ed25519 host key
       ansible.builtin.lineinfile:
         dest: /etc/ssh/sshd_config
         regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key'
         line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
-        mode: 0600
+        mode: '0600'
         state: present
       notify: Restart sshd
-  when: crypto_policy == 'STRICT'
 
 - name: Disable weak host keys
   when:
     - crypto_policy == 'STRICT'
     - weak_host_keys|length >= 1
-  include_tasks: weak_keys.yml
+  ansible.builtin.include_tasks: weak_keys.yml
   loop: "{{ weak_host_keys }}"
 
 # See http://bada55.cr.yp.to/
 - name: Remove ed25519 host key in FIPS mode
   ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key'
-    mode: 0600
+    mode: '0600'
     state: absent
   notify: Restart sshd
   when: crypto_policy in ['FIPS', 'FIPS:OSPP']

tasks/sshd_crypto.yml

@@ -7,17 +7,15 @@
     line: "{{ item.line }}"
     state: present
     create: true
-    mode: 0600
+    mode: '0600'
   loop:
     - regexp: '^Ciphers'
-      line: "Ciphers {{ Ciphers }}"
+      line: "Ciphers {{ ciphers }}"
     - regexp: '^HostKeyAlgorithms'
-      line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
+      line: "HostKeyAlgorithms {{ host_key_algorithms }}"
     - regexp: '^KexAlgorithms'
-      line: "KexAlgorithms {{ KexAlgorithms }}"
+      line: "KexAlgorithms {{ kex_algorithms }}"
     - regexp: '^MACs'
-      line: "MACs {{ MACs }}"
-      # - regexp: '^(#)?PubkeyAcceptedKeyTypes'
-      #  line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
+      line: "MACs {{ macs }}"
   notify: Restart sshd
 ...

tasks/strict_config.yml

@@ -7,10 +7,10 @@
   ansible.builtin.lineinfile:
     path: /etc/sysconfig/sshd
     regex: '^CRYPTO_POLICY'
-    line: "CRYPTO_POLICY='-oCiphers={{ Ciphers }} -oMACs={{ MACs }} -oKexAlgorithms={{ KexAlgorithms }} -oHostKeyAlgorithms={{ HostKeyAlgorithms }}'"
+    line: "CRYPTO_POLICY='-oCiphers={{ ciphers }} -oMACs={{ macs }} -oKexAlgorithms={{ kex_algorithms }} -oHostKeyAlgorithms={{ host_key_algorithms }}'"
     state: present
     create: true
-    mode: 0640
+    mode: '0640'
   notify: Restart sshd
 
 - name: Install rgn-tools for entropy, if available
@@ -27,7 +27,7 @@
     regexp: '^SSH_USE_STRONG_RNG'
     line: 'SSH_USE_STRONG_RNG=32'
     state: present
-    mode: 0640
+    mode: '0640'
   when: entropy.changed | bool  # noqa no-handler
   notify: Start RNG Entropy Gatherer
 ...

tasks/weak_keys.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "Mask generation of {{ item }} host key"
+- name: "Mask generation of host key {{ item }}"
   ansible.builtin.systemd:
     name: "{{ hostkey }}"
     masked: true
@@ -10,15 +10,15 @@
   loop_control:
     loop_var: hostkey
 
-- name: Remove {{ item }} host key from sshd_config
+- name: "Remove host key from sshd_config {{ item }}"
   ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "HostKey /etc/ssh/ssh_host_{{ item }}_key"
     line: "HostKey /etc/ssh/ssh_host_{{ item }}_key"
     state: absent
   notify: Restart sshd
 
-- name: "Remove {{ item }} host key"
+- name: "Remove host key {{ item }}"
   ansible.builtin.file:
     path: "/etc/ssh/ssh_host_{{ item }}_key"
     state: absent

vars/main.yml

@@ -14,14 +14,11 @@ weak_host_keys:
 
 # https://www.ssh-audit.com/hardening_guides.html
 
-Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
-HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+host_key_algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
 # This is a compatible subset
-KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
+kex_algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
 
-MACs: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
-
-# Not enforced!
-PubkeyAcceptedKeyTypes: ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512
+macs: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
 ...