From 6794eb0432dfb33bd3a84e31a5c66f7e4dc05d5b Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Thu, 10 Aug 2023 22:09:03 +0200 Subject: [PATCH] roles/common: default to disabling SSH passwords --- roles/common/defaults/main.yml | 4 ++++ roles/common/templates/sshd_config_Debian-11.j2 | 6 +++++- roles/common/templates/sshd_config_Debian-12.j2 | 6 +++++- roles/common/templates/sshd_config_Ubuntu-20.04.j2 | 7 +++++-- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index f4dd2f4..0e328a0 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -10,4 +10,8 @@ fail2ban_findtime: 3600 fail2ban_bantime: 1209600 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24 +# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys +# before re-configuring the SSH daemon to disable passwords. +ssh_password_authentication: disabled + # vim: set ts=2 sw=2: diff --git a/roles/common/templates/sshd_config_Debian-11.j2 b/roles/common/templates/sshd_config_Debian-11.j2 index df0aabb..156ce01 100644 --- a/roles/common/templates/sshd_config_Debian-11.j2 +++ b/roles/common/templates/sshd_config_Debian-11.j2 @@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +{% if ssh_password_authentication == 'disabled' %} +PasswordAuthentication no +{% else %} +PasswordAuthentication yes +{% endif %} #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with diff --git a/roles/common/templates/sshd_config_Debian-12.j2 b/roles/common/templates/sshd_config_Debian-12.j2 index 7cd6358..946a302 100644 --- a/roles/common/templates/sshd_config_Debian-12.j2 +++ b/roles/common/templates/sshd_config_Debian-12.j2 @@ -56,8 +56,12 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! +{% if ssh_password_authentication == 'disabled' %} +PasswordAuthentication no +{% else %} PasswordAuthentication yes -PermitEmptyPasswords no +{% endif %} +#PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) diff --git a/roles/common/templates/sshd_config_Ubuntu-20.04.j2 b/roles/common/templates/sshd_config_Ubuntu-20.04.j2 index 88aabb4..19aa656 100644 --- a/roles/common/templates/sshd_config_Ubuntu-20.04.j2 +++ b/roles/common/templates/sshd_config_Ubuntu-20.04.j2 @@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +{% if ssh_password_authentication == 'disabled' %} +PasswordAuthentication no +{% else %} +PasswordAuthentication yes +{% endif %} #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with @@ -122,7 +126,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server -PasswordAuthentication yes # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now