Merge pull request #97 from dev-sec/ssh_moduli

Remove small dh primes

Author: rndmh3ro

.travis.yml

@@ -39,6 +39,7 @@ env:
 
   - distro: debian8
     version: latest
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     init: /sbin/init
 
   - distro: debian9

README.md

@@ -44,6 +44,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_enabled` | false | true to enable sftp configuration|
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
+|`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
 
 ## Example Playbook
 

defaults/main.yml

@@ -140,3 +140,5 @@ ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffi
 
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
+
+sshd_moduli_minimum: 2048

tasks/main.yml

@@ -15,6 +15,18 @@
   template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner=root group=root
   when: ssh_client_hardening
 
+- name: Check if /etc/ssh/moduli contains weak DH parameters
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
+  register: sshd_register_moduli
+  changed_when: false
+  always_run: True
+
+- name: remove all small primes
+  shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+         [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+  notify: restart sshd
+  when: sshd_register_moduli.stdout
+
 - name: test to see if selinux is running
   command: getenforce
   register: sestatus