Add support to specify a list of revoked public keys

bachp · bachp · commit 95650b67ba01 · 2017-06-30T14:37:52.000+02:00
Signed-off-by: Pascal Bach &lt;pascal.bach@siemens.com&gt;
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
+|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 
 ## Example Playbook
 
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -160,3 +160,6 @@ ssh_challengeresponseauthentication: false
 
 #  look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
 ssh_use_dns: false
+
+# a list of public keys that are never accepted by the ssh server
+ssh_server_revoked_keys: []
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -28,6 +28,11 @@
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
   when: sshd_version.stdout >= '6.3'
 
+- name: create revoked_keys and set permissions to root/600
+  template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
+  notify: restart sshd
+  when: ssh_server_hardening
+
 - name: create sshd_config and set permissions to root/600
   template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}" validate="/usr/sbin/sshd -T -f %s"
   notify: restart sshd
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -208,6 +208,9 @@ Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
 DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
 {% endif %}
 
+# Reject keys that are explicitly blacklisted
+RevokedKeys /etc/ssh/revoked_keys
+
 {% if sftp_enabled %}
 # Configuration, in case SFTP is used
 ## override default of no subsystems
diff --git a/templates/revoked_keys.j2 b/templates/revoked_keys.j2
@@ -0,0 +1,4 @@
+# {{ansible_managed}}
+{% for key in ssh_server_revoked_keys %}
+{{key}}
+{% endfor %}
