1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00

Merge pull request #2 from roles-ansible/key_kex

otionally disable key and kex algorythmus setting
This commit is contained in:
L3D 2021-07-13 11:23:37 +02:00 committed by GitHub
commit 4b5b730019
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 20 additions and 7 deletions

View file

@ -7,8 +7,6 @@ on:
branches: '*' branches: '*'
pull_request: pull_request:
branches: '*' branches: '*'
schedule:
- cron: '42 6 * */1 *'
jobs: jobs:
build: build:

View file

@ -7,8 +7,6 @@ on:
branches: '*' branches: '*'
pull_request: pull_request:
branches: '*' branches: '*'
schedule:
- cron: '23 6 * */1 *'
jobs: jobs:
yamllint: yamllint:

View file

@ -62,6 +62,7 @@ users:
+ **Advanced SSH Algorithm Settings**<br/> + **Advanced SSH Algorithm Settings**<br/>
You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``. You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``.
You can disable it by setting ``sshd__manage_key_algorithmus`` and ``sshd__manage_kex_algorithmus`` to ``false``.
+ **force new SSH Features**<br/> + **force new SSH Features**<br/>

View file

@ -26,6 +26,7 @@ sshd__key_types:
# - 'ecdsa' # - 'ecdsa'
# - 'dsa' # (do not use!) # - 'dsa' # (do not use!)
sshd__manage_key_algorithmus: true
sshd__key_algorithmus: sshd__key_algorithmus:
- 'ssh-ed25519-cert-v01@openssh.com' - 'ssh-ed25519-cert-v01@openssh.com'
- 'ssh-ed25519' - 'ssh-ed25519'
@ -42,6 +43,7 @@ sshd__key_algorithmus:
# - 'rsa-sha2-256' # - 'rsa-sha2-256'
# - 'ssh-rsa' # - 'ssh-rsa'
sshd__manage_kex_algorithmus: true
sshd__kex_algorithmus: sshd__kex_algorithmus:
- 'curve25519-sha256@libssh.org' - 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256' - 'diffie-hellman-group-exchange-sha256'

View file

@ -4,4 +4,11 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ sshd__service }}" name: "{{ sshd__service }}"
state: restarted state: restarted
when: sshd__service is defined when: sshd__service is defined and ansible_service_mgr == 'systemd'
- name: service restart ssh
become: true
ansible.builtin.service:
name: "{{ sshd__service }}"
state: restarted
when: sshd__service is defined and ansible_service_mgr != 'systemd'

View file

@ -9,6 +9,7 @@
- sshd__manage_key_types | bool - sshd__manage_key_types | bool
notify: notify:
- systemctl restart ssh - systemctl restart ssh
- service restart ssh
- name: make sure only the correct keys are available - name: make sure only the correct keys are available
ansible.builtin.file: ansible.builtin.file:
@ -19,6 +20,7 @@
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}" - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
notify: notify:
- systemctl restart ssh - systemctl restart ssh
- service restart ssh
- name: make sure only the correct pubkeys are available - name: make sure only the correct pubkeys are available
ansible.builtin.file: ansible.builtin.file:
@ -29,3 +31,4 @@
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}" - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
notify: notify:
- systemctl restart ssh - systemctl restart ssh
- service restart ssh

View file

@ -49,3 +49,4 @@
backup: true backup: true
notify: notify:
- systemctl restart ssh - systemctl restart ssh
- service restart ssh

View file

@ -16,11 +16,13 @@ AddressFamily any
TCPKeepAlive yes TCPKeepAlive yes
{% if sshd__manage_key_algorithmus | bool %}
# Key exchange # Key exchange
{{ 'HostkeyAlgorithms ' }} {{ 'HostkeyAlgorithms ' }}
{%- for algo in sshd__key_algorithmus -%} {%- for algo in sshd__key_algorithmus -%}
{{ algo }}{{ "," if not loop.last }} {{ algo }}{{ "," if not loop.last }}
{%- endfor %} {%- endfor %}
{% endif %}
{{ 'KexAlgorithms ' }} {{ 'KexAlgorithms ' }}
{%- for algo in sshd__kex_algorithmus -%} {%- for algo in sshd__kex_algorithmus -%}
@ -58,13 +60,14 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %} {% endfor %}
{%- endif %} {%- endif %}
{% if sshd__manage_kex_algorithmus | bool -%}
# HostKeyAlgorithms # HostKeyAlgorithms
# Maybe not available in openssh 6.7 # Maybe not available in openssh 6.7
{{ 'HostKeyAlgorithms ' }} {{ 'HostKeyAlgorithms ' }}
{%- for key in sshd__key_algorithmus -%} {%- for key in sshd__key_algorithmus -%}
{{ key }}{{ "," if not loop.last }} {{ key }}{{ "," if not loop.last }}
{%- endfor %} {%- endfor %}
{% endif %}
# Client authentication # Client authentication

View file

@ -1,5 +1,5 @@
--- ---
playbook_version_number: 5001 # should be int playbook_version_number: 5002 # should be int
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version' playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
sshd__service_var_path: sshd__service_var_path: