mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
Merge pull request #2 from roles-ansible/key_kex
otionally disable key and kex algorythmus setting
This commit is contained in:
commit
4b5b730019
9 changed files with 20 additions and 7 deletions
2
.github/workflows/ansible-linting-check.yml
vendored
2
.github/workflows/ansible-linting-check.yml
vendored
|
@ -7,8 +7,6 @@ on:
|
||||||
branches: '*'
|
branches: '*'
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: '*'
|
branches: '*'
|
||||||
schedule:
|
|
||||||
- cron: '42 6 * */1 *'
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
|
2
.github/workflows/yamllint.yaml
vendored
2
.github/workflows/yamllint.yaml
vendored
|
@ -7,8 +7,6 @@ on:
|
||||||
branches: '*'
|
branches: '*'
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: '*'
|
branches: '*'
|
||||||
schedule:
|
|
||||||
- cron: '23 6 * */1 *'
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
yamllint:
|
yamllint:
|
||||||
|
|
|
@ -62,6 +62,7 @@ users:
|
||||||
|
|
||||||
+ **Advanced SSH Algorithm Settings**<br/>
|
+ **Advanced SSH Algorithm Settings**<br/>
|
||||||
You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``.
|
You can define the used Key and Kex Algorithm here to. For the default values and some examples for the variables ``sshd__key_algorithmus`` and ``sshd__kex_algorithmus`` have a look into ``defaults/main.yml``.
|
||||||
|
You can disable it by setting ``sshd__manage_key_algorithmus`` and ``sshd__manage_kex_algorithmus`` to ``false``.
|
||||||
|
|
||||||
|
|
||||||
+ **force new SSH Features**<br/>
|
+ **force new SSH Features**<br/>
|
||||||
|
|
|
@ -26,6 +26,7 @@ sshd__key_types:
|
||||||
# - 'ecdsa'
|
# - 'ecdsa'
|
||||||
# - 'dsa' # (do not use!)
|
# - 'dsa' # (do not use!)
|
||||||
|
|
||||||
|
sshd__manage_key_algorithmus: true
|
||||||
sshd__key_algorithmus:
|
sshd__key_algorithmus:
|
||||||
- 'ssh-ed25519-cert-v01@openssh.com'
|
- 'ssh-ed25519-cert-v01@openssh.com'
|
||||||
- 'ssh-ed25519'
|
- 'ssh-ed25519'
|
||||||
|
@ -42,6 +43,7 @@ sshd__key_algorithmus:
|
||||||
# - 'rsa-sha2-256'
|
# - 'rsa-sha2-256'
|
||||||
# - 'ssh-rsa'
|
# - 'ssh-rsa'
|
||||||
|
|
||||||
|
sshd__manage_kex_algorithmus: true
|
||||||
sshd__kex_algorithmus:
|
sshd__kex_algorithmus:
|
||||||
- 'curve25519-sha256@libssh.org'
|
- 'curve25519-sha256@libssh.org'
|
||||||
- 'diffie-hellman-group-exchange-sha256'
|
- 'diffie-hellman-group-exchange-sha256'
|
||||||
|
|
|
@ -4,4 +4,11 @@
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ sshd__service }}"
|
name: "{{ sshd__service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
when: sshd__service is defined
|
when: sshd__service is defined and ansible_service_mgr == 'systemd'
|
||||||
|
|
||||||
|
- name: service restart ssh
|
||||||
|
become: true
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ sshd__service }}"
|
||||||
|
state: restarted
|
||||||
|
when: sshd__service is defined and ansible_service_mgr != 'systemd'
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
- sshd__manage_key_types | bool
|
- sshd__manage_key_types | bool
|
||||||
notify:
|
notify:
|
||||||
- systemctl restart ssh
|
- systemctl restart ssh
|
||||||
|
- service restart ssh
|
||||||
|
|
||||||
- name: make sure only the correct keys are available
|
- name: make sure only the correct keys are available
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
@ -19,6 +20,7 @@
|
||||||
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
||||||
notify:
|
notify:
|
||||||
- systemctl restart ssh
|
- systemctl restart ssh
|
||||||
|
- service restart ssh
|
||||||
|
|
||||||
- name: make sure only the correct pubkeys are available
|
- name: make sure only the correct pubkeys are available
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
@ -29,3 +31,4 @@
|
||||||
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
||||||
notify:
|
notify:
|
||||||
- systemctl restart ssh
|
- systemctl restart ssh
|
||||||
|
- service restart ssh
|
||||||
|
|
|
@ -49,3 +49,4 @@
|
||||||
backup: true
|
backup: true
|
||||||
notify:
|
notify:
|
||||||
- systemctl restart ssh
|
- systemctl restart ssh
|
||||||
|
- service restart ssh
|
||||||
|
|
|
@ -16,11 +16,13 @@ AddressFamily any
|
||||||
|
|
||||||
TCPKeepAlive yes
|
TCPKeepAlive yes
|
||||||
|
|
||||||
|
{% if sshd__manage_key_algorithmus | bool %}
|
||||||
# Key exchange
|
# Key exchange
|
||||||
{{ 'HostkeyAlgorithms ' }}
|
{{ 'HostkeyAlgorithms ' }}
|
||||||
{%- for algo in sshd__key_algorithmus -%}
|
{%- for algo in sshd__key_algorithmus -%}
|
||||||
{{ algo }}{{ "," if not loop.last }}
|
{{ algo }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{{ 'KexAlgorithms ' }}
|
{{ 'KexAlgorithms ' }}
|
||||||
{%- for algo in sshd__kex_algorithmus -%}
|
{%- for algo in sshd__kex_algorithmus -%}
|
||||||
|
@ -58,13 +60,14 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
|
{% if sshd__manage_kex_algorithmus | bool -%}
|
||||||
# HostKeyAlgorithms
|
# HostKeyAlgorithms
|
||||||
# Maybe not available in openssh 6.7
|
# Maybe not available in openssh 6.7
|
||||||
{{ 'HostKeyAlgorithms ' }}
|
{{ 'HostKeyAlgorithms ' }}
|
||||||
{%- for key in sshd__key_algorithmus -%}
|
{%- for key in sshd__key_algorithmus -%}
|
||||||
{{ key }}{{ "," if not loop.last }}
|
{{ key }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
# Client authentication
|
# Client authentication
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
playbook_version_number: 5001 # should be int
|
playbook_version_number: 5002 # should be int
|
||||||
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
|
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
|
||||||
|
|
||||||
sshd__service_var_path:
|
sshd__service_var_path:
|
||||||
|
|
Loading…
Reference in a new issue