[devsec] ansible-ssh-hardening 8.0.0 released

  • From: Sebastian Gumprich <devsec@xxxxxxxxx>
  • To: devsec@xxxxxxxxxxxxx, devsec-announce@xxxxxxxxxxxxx
  • Date: Tue, 5 May 2020 21:51:57 +0200

Hey everyone,

we also released a new version of ansible-ssh-hardening: version 8.0.0!

Many fixes and features here, too. But also some breaking changes, so heads up!

Breaking Changes:

    We removed configuring 2fa, as it does not belong into this role (#269)
ssh_google_auth and ssh_pam_device are gone and replaced by sshd_authenticationmethods (#245)
ssh_allow_tcp_forwarding is no longer a bool but a string because it accepts other values as yes/no (#257)

Implemented enhancements:

    Remove dependency on bash #265
    Possibility to use other value than yes/no for AllowTCPforwarding #255
    Add support for Debian Buster in ansible-ssh-hardening #248
    Some options not configurable via the role #239
    PermitUserEnvironment should not be conflated with AcceptEnv #232
    Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
    Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
    Removing 2fa #269 (dennisse)
    Renaming Ansible variables discovered from systems #268 (PovilasGT)
    Do not use bash to get ssh version #266 (kljensen)
Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
    SFTP: set default umask to 0027 #252 (Slamdunk)
    Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
    Feature: Debian 10 (Buster) support #249 (jaredledvina)
fix broken packages, extend README with furhter development instructions #246 (szEvEz)
refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
    RHEL/OL/CentOS 8 support #242 (Furragen)
Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)
    set UsePAM to yes by default #233 (rndmh3ro)

Fixed bugs:

    HostKey comment "# Req 20" breaks key based auth #262
SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
    Google 2fa authentication problem #170
    vars: remove empty main.yml file #274 (paulfantom)
    Only manage moduli when hardening server #267 (jbronn)
    Remove comment from sshd config HostKey param #263 (abtreece)

Github: https://github.com/dev-sec/ansible-ssh-hardening/releases/tag/8.0.0
Galaxy: https://galaxy.ansible.com/dev-sec/ssh-hardening

We are looking forward to get your feedback via our mailing list.

Feel free to follow us on Twitter (https://twitter.com/devsecio) to stay

Mailing list: https://www.freelists.org/list/devsec
Archive: https://www.freelists.org/archive/devsec
Post to: devsec@xxxxxxxxxxxxx
Unsubscribe: https://www.freelists.org/list/devsec

Other related posts:

  • » [devsec] ansible-ssh-hardening 8.0.0 released - Sebastian Gumprich