dev-sec · rndmh3ro · Jun 25, 2018 · Jun 6, 2018 · Jun 12, 2018 · Jun 12, 2018
diff --git a/README.md b/README.md
@@ -36,7 +36,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
 |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
+|`ssh_pam_support` | true | true if SSH has PAM support.|
 |`ssh_use_pam` | false | false to disable pam authentication.|
+|`ssh_gssapi_support` | true | true if SSH has GSSAPI support.|
+|`ssh_kerberos_support` | true | true if SSH has Kerberos support.|
 |`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.|
 |`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.|
 |`ssh_deny_groups` | '' | if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.|
@@ -52,6 +55,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_chroot` | true | false to disable chroot for sftp|
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
+|`sshd_moduli_file` | '/etc/ssh/moduli' | path to the SSH moduli file |
 |`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -73,6 +73,9 @@ ssh_gateway_ports: false                # sshd
 # false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
 ssh_allow_agent_forwarding: false       # sshd
 
+# true if SSH has PAM support
+ssh_pam_support: true
+
 # false to disable pam authentication.
 ssh_use_pam: false      # sshd
 
@@ -82,6 +85,12 @@ ssh_google_auth: false # sshd
 # false to disable pam device 2FA input
 ssh_pam_device: false # sshd
 
+# true if SSH support GSSAPI
+ssh_gssapi_support: true
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
 # if specified, login is disallowed for user names that match one of the patterns.
 ssh_deny_users: ''      # sshd
 
@@ -224,6 +233,7 @@ ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffi
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
+sshd_moduli_file: '/etc/ssh/moduli'
 sshd_moduli_minimum: 2048
 
 # disable ChallengeResponseAuthentication

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -31,15 +31,15 @@
   template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
   when: ssh_client_hardening
 
-- name: Check if /etc/ssh/moduli contains weak DH parameters
-  shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
+- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
   register: sshd_register_moduli
   changed_when: false
   check_mode: no
 
 - name: remove all small primes
-  shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
-         [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+  shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
+         [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
   notify: restart sshd
   when: sshd_register_moduli.stdout
 

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -93,7 +93,9 @@ IgnoreUserKnownHosts yes
 HostbasedAuthentication no
 
 # Enable PAM to enforce system wide rules
+{% if ssh_pam_support -%}
 UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
+{% endif %}
 {% if ssh_google_auth %}
 # Force public key auth then ask for google auth code
 AuthenticationMethods publickey,keyboard-interactive
@@ -109,15 +111,19 @@ PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }}
 
+{% if ssh_kerberos_support -%}
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no
 KerberosOrLocalPasswd no
 KerberosTicketCleanup yes
 #KerberosGetAFSToken no
+{% endif %}
 
+{% if ssh_gssapi_support -%}
 # Only enable GSSAPI authentication if it is configured.
 GSSAPIAuthentication no
 GSSAPICleanupCredentials yes
+{% endif %}
 
 # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
 {% if ssh_deny_users -%}

diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml
@@ -0,0 +1,8 @@
+sshd_service_name: sshd
+ssh_owner: root
+ssh_group: wheel
+
+ssh_gssapi_support: false
+ssh_kerberos_support: false
+ssh_pam_support: false
+sshd_moduli_file: '/etc/moduli'