More secure defaults for ssh.

Ciphers, Kex and MAC can be set via defaults.var

roles/common/tasks/security.yml

@@ -16,6 +16,10 @@
 - name: Ensure fail2ban is started
   service: name=fail2ban state=started
 
-- name: Update sshd config to disallow root logins
-  lineinfile: dest=/etc/ssh/sshd_config regexp=^PermitRootLogin line="PermitRootLogin no" state=present
+- name: Update sshd config for PFS and more secure defaults
+  template: src=sshd.j2 dest=/etc/ssh/sshd_config
   notify: restart ssh
+  
+- name: Update ssh config for more secure defaults
+  template: src=ssh.j2 dest=/etc/ssh/ssh_config
+

roles/common/templates/ssh.j2

@@ -0,0 +1,10 @@
+    Ciphers {{ ciphers }}
+    #KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+    KexAlgorithms {{ kex_algorithms }}
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+    MACs {{ macs }}
+    PasswordAuthentication no
+

roles/common/templates/sshd.j2

@@ -0,0 +1,72 @@
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+KexAlgorithms {{ kex_algorithms }}
+Ciphers {{ ciphers }}
+MACs {{ macs }}
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication yes
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+

vars/defaults.yml

@@ -13,6 +13,11 @@ main_user_shell: "/bin/bash"
 friendly_networks:
   - ""
 
+# ssh
+kex_algorithms: "diffie-hellman-group-exchange-sha256"
+ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
+macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
+
 # ntp
 ntp_servers:
   # use nearby ntp servers by default