From 46f158a386b68c37440a4052a69755c4894372be Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Tue, 13 Jul 2021 11:14:53 +0200
Subject: [PATCH] otionally disable key and kex algorythmus setting

---
 README.md                | 1 +
 defaults/main.yml        | 2 ++
 handlers/main.yml        | 9 ++++++++-
 tasks/keys.yml           | 3 +++
 tasks/main.yml           | 1 +
 templates/sshd_config.j2 | 5 ++++-
 vars/main.yml            | 2 +-
 7 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 75b1bca..2773d6f 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ users:
 
 + **Advanced SSH Algorithm Settings**<br/>
   You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``.
+  You can disable it by setting ``sshd__manage_key_algorithmus`` and ``sshd__manage_kex_algorithmus`` to ``false``.
 
 
 + **force new SSH Features**<br/>
diff --git a/defaults/main.yml b/defaults/main.yml
index 6a1a70a..da31856 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,6 +26,7 @@ sshd__key_types:
   # - 'ecdsa'
   # - 'dsa' # (do not use!)
 
+sshd__manage_key_algorithmus: true
 sshd__key_algorithmus:
   - 'ssh-ed25519-cert-v01@openssh.com'
   - 'ssh-ed25519'
@@ -42,6 +43,7 @@ sshd__key_algorithmus:
   # - 'rsa-sha2-256'
   # - 'ssh-rsa'
 
+sshd__manage_kex_algorithmus: true
 sshd__kex_algorithmus:
   - 'curve25519-sha256@libssh.org'
   - 'diffie-hellman-group-exchange-sha256'
diff --git a/handlers/main.yml b/handlers/main.yml
index 4631e53..6cf7bc8 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,4 +4,11 @@
   ansible.builtin.systemd:
     name: "{{ sshd__service }}"
     state: restarted
-  when: sshd__service is defined
+  when: sshd__service is defined and ansible_service_mgr == 'systemd'
+
+- name: service restart ssh
+  become: true
+  ansible.builtin.service:
+    name: "{{ sshd__service }}"
+    state: restarted
+  when: sshd__service is defined and ansible_service_mgr != 'systemd'
diff --git a/tasks/keys.yml b/tasks/keys.yml
index bb286de..fe5f4a3 100644
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -9,6 +9,7 @@
     - sshd__manage_key_types | bool
   notify:
     - systemctl restart ssh
+    - service restart ssh
 
 - name: make sure only the correct keys are available
   ansible.builtin.file:
@@ -19,6 +20,7 @@
     - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
   notify:
     - systemctl restart ssh
+    - service restart ssh
 
 - name: make sure only the correct pubkeys are available
   ansible.builtin.file:
@@ -29,3 +31,4 @@
     - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
   notify:
     - systemctl restart ssh
+    - service restart ssh
diff --git a/tasks/main.yml b/tasks/main.yml
index 96b6dd2..332543c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -49,3 +49,4 @@
     backup: true
   notify:
     - systemctl restart ssh
+    - service restart ssh
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index b2d493c..d470406 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -16,11 +16,13 @@ AddressFamily any
 
 TCPKeepAlive yes
 
+{% if sshd__manage_key_algorithmus | bool %}
 # Key exchange
 {{ 'HostkeyAlgorithms ' }}
 {%- for algo in sshd__key_algorithmus -%}
 {{ algo }}{{ "," if not loop.last }}
 {%- endfor %}
+{% endif %}
 
 {{ 'KexAlgorithms ' }}
 {%- for algo in sshd__kex_algorithmus -%}
@@ -58,13 +60,14 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
 {% endfor %}
 {%- endif %}
 
-
+{% if sshd__manage_kex_algorithmus | bool -%}
 # HostKeyAlgorithms
 # Maybe not available in openssh 6.7
 {{ 'HostKeyAlgorithms ' }}
 {%- for key in sshd__key_algorithmus -%}
 {{ key }}{{ "," if not loop.last }}
 {%- endfor %}
+{% endif %}
 
 
 # Client authentication
diff --git a/vars/main.yml b/vars/main.yml
index 3e12ee4..1882000 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,5 +1,5 @@
 ---
-playbook_version_number: 5001  # should be int
+playbook_version_number: 5002  # should be int
 playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
 
 sshd__service_var_path: