diff --git a/.github/workflows/ansible-linting-check.yml b/.github/workflows/ansible-linting-check.yml
index 7973217..ab63487 100644
--- a/.github/workflows/ansible-linting-check.yml
+++ b/.github/workflows/ansible-linting-check.yml
@@ -7,8 +7,6 @@ on:
branches: '*'
pull_request:
branches: '*'
- schedule:
- - cron: '42 6 * */1 *'
jobs:
build:
diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
index ddb5b89..d4ad029 100644
--- a/.github/workflows/yamllint.yaml
+++ b/.github/workflows/yamllint.yaml
@@ -7,8 +7,6 @@ on:
branches: '*'
pull_request:
branches: '*'
- schedule:
- - cron: '23 6 * */1 *'
jobs:
yamllint:
diff --git a/README.md b/README.md
index 75b1bca..2773d6f 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ users:
+ **Advanced SSH Algorithm Settings**
You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``.
+ You can disable it by setting ``sshd__manage_key_algorithmus`` and ``sshd__manage_kex_algorithmus`` to ``false``.
+ **force new SSH Features**
diff --git a/defaults/main.yml b/defaults/main.yml
index 6a1a70a..da31856 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,6 +26,7 @@ sshd__key_types:
# - 'ecdsa'
# - 'dsa' # (do not use!)
+sshd__manage_key_algorithmus: true
sshd__key_algorithmus:
- 'ssh-ed25519-cert-v01@openssh.com'
- 'ssh-ed25519'
@@ -42,6 +43,7 @@ sshd__key_algorithmus:
# - 'rsa-sha2-256'
# - 'ssh-rsa'
+sshd__manage_kex_algorithmus: true
sshd__kex_algorithmus:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
diff --git a/handlers/main.yml b/handlers/main.yml
index 4631e53..6cf7bc8 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,4 +4,11 @@
ansible.builtin.systemd:
name: "{{ sshd__service }}"
state: restarted
- when: sshd__service is defined
+ when: sshd__service is defined and ansible_service_mgr == 'systemd'
+
+- name: service restart ssh
+ become: true
+ ansible.builtin.service:
+ name: "{{ sshd__service }}"
+ state: restarted
+ when: sshd__service is defined and ansible_service_mgr != 'systemd'
diff --git a/tasks/keys.yml b/tasks/keys.yml
index bb286de..fe5f4a3 100644
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -9,6 +9,7 @@
- sshd__manage_key_types | bool
notify:
- systemctl restart ssh
+ - service restart ssh
- name: make sure only the correct keys are available
ansible.builtin.file:
@@ -19,6 +20,7 @@
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
notify:
- systemctl restart ssh
+ - service restart ssh
- name: make sure only the correct pubkeys are available
ansible.builtin.file:
@@ -29,3 +31,4 @@
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
notify:
- systemctl restart ssh
+ - service restart ssh
diff --git a/tasks/main.yml b/tasks/main.yml
index 96b6dd2..332543c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -49,3 +49,4 @@
backup: true
notify:
- systemctl restart ssh
+ - service restart ssh
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index b2d493c..d470406 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -16,11 +16,13 @@ AddressFamily any
TCPKeepAlive yes
+{% if sshd__manage_key_algorithmus | bool %}
# Key exchange
{{ 'HostkeyAlgorithms ' }}
{%- for algo in sshd__key_algorithmus -%}
{{ algo }}{{ "," if not loop.last }}
{%- endfor %}
+{% endif %}
{{ 'KexAlgorithms ' }}
{%- for algo in sshd__kex_algorithmus -%}
@@ -58,13 +60,14 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %}
{%- endif %}
-
+{% if sshd__manage_kex_algorithmus | bool -%}
# HostKeyAlgorithms
# Maybe not available in openssh 6.7
{{ 'HostKeyAlgorithms ' }}
{%- for key in sshd__key_algorithmus -%}
{{ key }}{{ "," if not loop.last }}
{%- endfor %}
+{% endif %}
# Client authentication
diff --git a/vars/main.yml b/vars/main.yml
index 3e12ee4..1882000 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,5 +1,5 @@
---
-playbook_version_number: 5001 # should be int
+playbook_version_number: 5002 # should be int
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
sshd__service_var_path: