[devsec] ansible-ssh-hardening 8.0.0 released

• From: Sebastian Gumprich <devsec@xxxxxxxxx>
• To: devsec@xxxxxxxxxxxxx, devsec-announce@xxxxxxxxxxxxx
• Date: Tue, 5 May 2020 21:51:57 +0200

Hey everyone,

we also released a new version of ansible-ssh-hardening: version 8.0.0!

Many fixes and features here, too. But also some breaking changes, so heads up!

Breaking Changes:

    We removed configuring 2fa, as it does not belong into this role (#269)
ssh_google_auth and ssh_pam_device are gone and replaced by sshd_authenticationmethods (#245)
ssh_allow_tcp_forwarding is no longer a bool but a string because it accepts other values as yes/no (#257)

Implemented enhancements:

    Remove dependency on bash #265
    Possibility to use other value than yes/no for AllowTCPforwarding #255
    Add support for Debian Buster in ansible-ssh-hardening #248
    Some options not configurable via the role #239
    PermitUserEnvironment should not be conflated with AcceptEnv #232
    Disable also dynamic MOTD via PAM if enabled - refs #271 #273 (ancoron)
    Use sha2 HMACs on RHEL 6 / CentOS 6. #270 (foonix)
    Removing 2fa #269 (dennisse)
    Renaming Ansible variables discovered from systems #268 (PovilasGT)
    Do not use bash to get ssh version #266 (kljensen)
Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable #257 (brnck)
Support KEX for OpenSSH 8.0+ & quantum resistant KEX #254 (lunarthegrey)
    SFTP: set default umask to 0027 #252 (Slamdunk)
    Separate PermitUserEnviroment from AcceptEnv #251 (szEvEz)
    Feature: Debian 10 (Buster) support #249 (jaredledvina)
fix broken packages, extend README with furhter development instructions #246 (szEvEz)
refactor authenticationmethod settings, allow user to set authenticat… #245 (szEvEz)
    RHEL/OL/CentOS 8 support #242 (Furragen)
Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters #240 (bschonec)
    set UsePAM to yes by default #233 (rndmh3ro)

Fixed bugs:

    HostKey comment "# Req 20" breaks key based auth #262
SSH fails to start/connect if custom server ports is set on CentOS 7.6 #212
    Google 2fa authentication problem #170
    vars: remove empty main.yml file #274 (paulfantom)
    Only manage moduli when hardening server #267 (jbronn)
    Remove comment from sshd config HostKey param #263 (abtreece)


Github: https://github.com/dev-sec/ansible-ssh-hardening/releases/tag/8.0.0
Galaxy: https://galaxy.ansible.com/dev-sec/ssh-hardening



We are looking forward to get your feedback via our mailing list.
(https://dev-sec.io/community/).

Feel free to follow us on Twitter (https://twitter.com/devsecio) to stay
updated.

________________________________________
Mailing list: https://www.freelists.org/list/devsec
Archive: https://www.freelists.org/archive/devsec
Post to: devsec@xxxxxxxxxxxxx
Unsubscribe: https://www.freelists.org/list/devsec

• References:
  • [devsec] ansible-os-hardening 6.0.0 released
    • From: Sebastian Gumprich

Other related posts:

• » [devsec] ansible-ssh-hardening 8.0.0 released - Sebastian Gumprich

1. Home
2. devsec
3. Archive
4. 05-2020

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---