dev-sec · rndmh3ro · Jul 28, 2020 · Jun 20, 2020 · Jun 20, 2020 · Jun 20, 2020
diff --git a/meta/main.yml b/meta/main.yml
@@ -22,6 +22,7 @@ galaxy_info:
     - name: Amazon
     - name: Fedora
     - name: Archlinux
+    - name: SmartOS
   galaxy_tags:
     - system
     - security

diff --git a/tasks/crypto_hostkeys.yml b/tasks/crypto_hostkeys.yml
@@ -1,15 +1,21 @@
 ---
 - name: set hostkeys according to openssh-version if openssh >= 5.3
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
+    ssh_host_key_files:
+      - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
   when: sshd_version is version('5.3', '>=')
 
 - name: set hostkeys according to openssh-version if openssh >= 6.0
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
+    ssh_host_key_files:
+      - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
+      - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
   when: sshd_version is version('6.0', '>=')
 
 - name: set hostkeys according to openssh-version if openssh >= 6.3
   set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
+    ssh_host_key_files:
+      - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
+      - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
+      - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key"
   when: sshd_version is version('6.3', '>=')
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -50,7 +50,7 @@
     mode: '0600'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
-    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
+    validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
   notify: restart sshd
   when: ssh_server_hardening | bool
 

diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml
@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

diff --git a/vars/Debian.yml b/vars/Debian.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: ssh
 ssh_owner: root
 ssh_group: root

diff --git a/vars/Fedora.yml b/vars/Fedora.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel
diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel

diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml
@@ -1,4 +1,6 @@
 ---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

diff --git a/vars/SmartOS.yml b/vars/SmartOS.yml
@@ -0,0 +1,8 @@
+---
+sshd_path: /usr/lib/ssh/sshd
+ssh_host_keys_dir: '/var/ssh'
+sshd_service_name: ssh
+ssh_owner: root
+ssh_group: root
+
+ssh_pam_support: false