ansible/ansible_role_sshd
1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
Code Issues Releases Activity

update cipher and mac

Browse source
This commit is contained in:
Lilian Roller 2020-03-17 17:25:08 +01:00
parent 3b008f27ad
commit 289ab2be94
No known key found for this signature in database
GPG key ID: 5215C3441797AB2B
3 changed files with 53 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
defaults/main.yml
View file

@ -13,9 +13,34 @@ sshd:
# - ecdsa # - ecdsa
# - dsa # (do not use!) # - dsa # (do not use!)
kex_algorithmus:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
# - 'diffie-hellman-group-exchange-sha1'
# - 'diffie-hellman-group14-sha1'
# - 'diffie-hellman-group1-sha1'
ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
# - 'aes256-ctr'
# - 'aes256-cbc'
# - 'aes128-ctr'
# - 'aes128-cbc'
macs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
# - 'hmac-sha2-512'
# - 'hmac-sha2-256'
# - 'hmac-ripemd160-etm@openssh.com'
# - 'umac-128-etm@openssh.com'
# - 'hmac-sha1'
## default users for SSH access
#
# default users for SSH access
#sshd_default_allowed_users: #sshd_default_allowed_users:
# - "root" # - "root"
# - "ansible" # - "ansible"

14
tasks/main.yml
View file

@ -14,12 +14,10 @@
- name: read default variable - name: read default variable
include_vars: vars/default.yml include_vars: vars/default.yml
- pause: #- name: Collect all users and groups allowed to login via ssh
# set_fact:
- name: Collect all users and groups allowed to login via ssh # sshd_allow_users: '{{ sshd_default_allowed_users + users.keys() | default({}) | sort }}'
set_fact: # sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() | default({}) | sort }}'
sshd_allow_users: '{{ sshd_default_allowed_users + users.keys() | default({}) | sort }}'
sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() | default({}) | sort }}'
- name: Copy sshd configuration - name: Copy sshd configuration
become: yes become: yes
@ -29,10 +27,12 @@
owner: root owner: root
group: root group: root
mode: 'u=rw,g=r,o=r' mode: 'u=rw,g=r,o=r'
validate: /usr/sbin/sshd -t -f %s # validate: /usr/sbin/sshd -t -f %s
backup: yes backup: yes
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh
- pause:
- name: Generate new ecdsa ssh host key pair if necessary - name: Generate new ecdsa ssh host key pair if necessary
become: yes become: yes

30
templates/sshd_config.j2
View file

@ -7,17 +7,26 @@ Port {{ sshd.port }}
TCPKeepAlive yes TCPKeepAlive yes
# Key exchange # Key exchange
#KexAlgorithms curve25519-sha256@libssh.org, KexAlgorithms
# diffie-hellman-group-exchange-sha256 {%- for algo in sshd.kex_algorithmus -%}
{% if ansible_distribution_release == 'wheezy' -%} {{ ' ' }}{{ algo }}{{ "," if not loop.last }}
KexAlgorithms diffie-hellman-group-exchange-sha256 {%- endfor %}
{%- else -%}
KexAlgorithms diffie-hellman-group-exchange-sha256
{%- if use_diffie_hellman_group_exchange_sha256 -%}
,diffie-hellman-group-exchange-sha256
{%- endif -%}
{%- endif %}
# Ciphers:
Ciphers
{%- for cipher in sshd.ciphers -%}
{{ ' ' }}{{ cipher }}{{ "," if not loop.last }}
{%- endfor %}
# Macs
MACs
{%- for mac in sshd.macs -%}
{{ ' ' }}{{ mac }}{{ "," if not loop.last }}
{%- endfor %}
{#
# Server authentication # Server authentication
Protocol 2 Protocol 2
{% if ansible_distribution_release == 'wheezy' %} {% if ansible_distribution_release == 'wheezy' %}
@ -105,3 +114,4 @@ Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %} {% endif %}
# ETC # ETC
#}