Merge pull request #2 from roles-ansible/key_kex

otionally disable key and kex algorythmus setting

.github/workflows/ansible-linting-check.yml

@@ -7,8 +7,6 @@ on:
     branches: '*'
   pull_request:
     branches: '*'
-  schedule:
-    - cron: '42 6 * */1 *'
 
 jobs:
   build:

.github/workflows/yamllint.yaml

@@ -7,8 +7,6 @@ on:
     branches: '*'
   pull_request:
     branches: '*'
-  schedule:
-    - cron: '23 6 * */1 *'
 
 jobs:
   yamllint:

README.md

@@ -62,6 +62,7 @@ users:
 
 + **Advanced SSH Algorithm Settings**<br/>
   You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``.
+  You can disable it by setting ``sshd__manage_key_algorithmus`` and ``sshd__manage_kex_algorithmus`` to ``false``.
 
 
 + **force new SSH Features**<br/>

defaults/main.yml

@@ -26,6 +26,7 @@ sshd__key_types:
   # - 'ecdsa'
   # - 'dsa' # (do not use!)
 
+sshd__manage_key_algorithmus: true
 sshd__key_algorithmus:
   - 'ssh-ed25519-cert-v01@openssh.com'
   - 'ssh-ed25519'
@@ -42,6 +43,7 @@ sshd__key_algorithmus:
   # - 'rsa-sha2-256'
   # - 'ssh-rsa'
 
+sshd__manage_kex_algorithmus: true
 sshd__kex_algorithmus:
   - 'curve25519-sha256@libssh.org'
   - 'diffie-hellman-group-exchange-sha256'

handlers/main.yml

@@ -4,4 +4,11 @@
   ansible.builtin.systemd:
     name: "{{ sshd__service }}"
     state: restarted
-  when: sshd__service is defined
+  when: sshd__service is defined and ansible_service_mgr == 'systemd'
+
+- name: service restart ssh
+  become: true
+  ansible.builtin.service:
+    name: "{{ sshd__service }}"
+    state: restarted
+  when: sshd__service is defined and ansible_service_mgr != 'systemd'

tasks/keys.yml

@@ -9,6 +9,7 @@
     - sshd__manage_key_types | bool
   notify:
     - systemctl restart ssh
+    - service restart ssh
 
 - name: make sure only the correct keys are available
   ansible.builtin.file:
@@ -19,6 +20,7 @@
     - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
   notify:
     - systemctl restart ssh
+    - service restart ssh
 
 - name: make sure only the correct pubkeys are available
   ansible.builtin.file:
@@ -29,3 +31,4 @@
     - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
   notify:
     - systemctl restart ssh
+    - service restart ssh

tasks/main.yml

@@ -49,3 +49,4 @@
     backup: true
   notify:
     - systemctl restart ssh
+    - service restart ssh

templates/sshd_config.j2

@@ -16,11 +16,13 @@ AddressFamily any
 
 TCPKeepAlive yes
 
+{% if sshd__manage_key_algorithmus | bool %}
 # Key exchange
 {{ 'HostkeyAlgorithms ' }}
 {%- for algo in sshd__key_algorithmus -%}
 {{ algo }}{{ "," if not loop.last }}
 {%- endfor %}
+{% endif %}
 
 {{ 'KexAlgorithms ' }}
 {%- for algo in sshd__kex_algorithmus -%}
@@ -58,13 +60,14 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
 {% endfor %}
 {%- endif %}
 
-
+{% if sshd__manage_kex_algorithmus | bool -%}
 # HostKeyAlgorithms
 # Maybe not available in openssh 6.7
 {{ 'HostKeyAlgorithms ' }}
 {%- for key in sshd__key_algorithmus -%}
 {{ key }}{{ "," if not loop.last }}
 {%- endfor %}
+{% endif %}
 
 
 # Client authentication

vars/main.yml

@@ -1,5 +1,5 @@
 ---
-playbook_version_number: 5001  # should be int
+playbook_version_number: 5002  # should be int
 playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
 
 sshd__service_var_path: