diff --git a/.github/workflows/ansible-linting-check.yml b/.github/workflows/ansible-linting-check.yml index 7973217..ab63487 100644 --- a/.github/workflows/ansible-linting-check.yml +++ b/.github/workflows/ansible-linting-check.yml @@ -7,8 +7,6 @@ on: branches: '*' pull_request: branches: '*' - schedule: - - cron: '42 6 * */1 *' jobs: build: diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml index ddb5b89..d4ad029 100644 --- a/.github/workflows/yamllint.yaml +++ b/.github/workflows/yamllint.yaml @@ -7,8 +7,6 @@ on: branches: '*' pull_request: branches: '*' - schedule: - - cron: '23 6 * */1 *' jobs: yamllint: diff --git a/README.md b/README.md index 75b1bca..2773d6f 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ users: + **Advanced SSH Algorithm Settings**
You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``. + You can disable it by setting ``sshd__manage_key_algorithmus`` and ``sshd__manage_kex_algorithmus`` to ``false``. + **force new SSH Features**
diff --git a/defaults/main.yml b/defaults/main.yml index 6a1a70a..da31856 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,6 +26,7 @@ sshd__key_types: # - 'ecdsa' # - 'dsa' # (do not use!) +sshd__manage_key_algorithmus: true sshd__key_algorithmus: - 'ssh-ed25519-cert-v01@openssh.com' - 'ssh-ed25519' @@ -42,6 +43,7 @@ sshd__key_algorithmus: # - 'rsa-sha2-256' # - 'ssh-rsa' +sshd__manage_kex_algorithmus: true sshd__kex_algorithmus: - 'curve25519-sha256@libssh.org' - 'diffie-hellman-group-exchange-sha256' diff --git a/handlers/main.yml b/handlers/main.yml index 4631e53..6cf7bc8 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,4 +4,11 @@ ansible.builtin.systemd: name: "{{ sshd__service }}" state: restarted - when: sshd__service is defined + when: sshd__service is defined and ansible_service_mgr == 'systemd' + +- name: service restart ssh + become: true + ansible.builtin.service: + name: "{{ sshd__service }}" + state: restarted + when: sshd__service is defined and ansible_service_mgr != 'systemd' diff --git a/tasks/keys.yml b/tasks/keys.yml index bb286de..fe5f4a3 100644 --- a/tasks/keys.yml +++ b/tasks/keys.yml @@ -9,6 +9,7 @@ - sshd__manage_key_types | bool notify: - systemctl restart ssh + - service restart ssh - name: make sure only the correct keys are available ansible.builtin.file: @@ -19,6 +20,7 @@ - "{{ sshd__key_types_list | difference( sshd__key_types ) }}" notify: - systemctl restart ssh + - service restart ssh - name: make sure only the correct pubkeys are available ansible.builtin.file: @@ -29,3 +31,4 @@ - "{{ sshd__key_types_list | difference( sshd__key_types ) }}" notify: - systemctl restart ssh + - service restart ssh diff --git a/tasks/main.yml b/tasks/main.yml index 96b6dd2..332543c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,3 +49,4 @@ backup: true notify: - systemctl restart ssh + - service restart ssh diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index b2d493c..d470406 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -16,11 +16,13 @@ AddressFamily any TCPKeepAlive yes +{% if sshd__manage_key_algorithmus | bool %} # Key exchange {{ 'HostkeyAlgorithms ' }} {%- for algo in sshd__key_algorithmus -%} {{ algo }}{{ "," if not loop.last }} {%- endfor %} +{% endif %} {{ 'KexAlgorithms ' }} {%- for algo in sshd__kex_algorithmus -%} @@ -58,13 +60,14 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {%- endif %} - +{% if sshd__manage_kex_algorithmus | bool -%} # HostKeyAlgorithms # Maybe not available in openssh 6.7 {{ 'HostKeyAlgorithms ' }} {%- for key in sshd__key_algorithmus -%} {{ key }}{{ "," if not loop.last }} {%- endfor %} +{% endif %} # Client authentication diff --git a/vars/main.yml b/vars/main.yml index 3e12ee4..1882000 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -playbook_version_number: 5001 # should be int +playbook_version_number: 5002 # should be int playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version' sshd__service_var_path: