From 7b7abebb684a03bbfe40da670c313c68940f6f96 Mon Sep 17 00:00:00 2001 From: L3D Date: Tue, 9 Apr 2019 22:13:59 +0200 Subject: [PATCH] Improve SSHD config --- defaults/main.yml | 2 ++ tasks/main.yml | 2 +- templates/{sshd_config => sshd_config.j2} | 7 +++++-- 3 files changed, 8 insertions(+), 3 deletions(-) rename templates/{sshd_config => sshd_config.j2} (92%) diff --git a/defaults/main.yml b/defaults/main.yml index b52fedf..cbe4d2d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,3 +22,5 @@ sshd_password_authentication: 'no' # 'yes' or 'no' # Allow optional cryptho methods (NOT RECOMENDED) generate_ecdsa_too: false use_diffie-hellman-group-exchange-sha256: false +use_aes256-ctr: false +use_hmac-sha2-512: false diff --git a/tasks/main.yml b/tasks/main.yml index d5ce0ef..7123547 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,7 +20,7 @@ - name: Copy sshd configuration become: yes template: - src: sshd_config + src: sshd_config.j2 dest: '/etc/ssh/sshd_config' owner: root group: root diff --git a/templates/sshd_config b/templates/sshd_config.j2 similarity index 92% rename from templates/sshd_config rename to templates/sshd_config.j2 index 770d5aa..5f30447 100644 --- a/templates/sshd_config +++ b/templates/sshd_config.j2 @@ -1,3 +1,4 @@ +# Attention, do not make changes # {{ ansible_managed }} @@ -57,7 +58,8 @@ endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # aes256-ctr, # aes192-ctr, # aes128-ctr -Ciphers chacha20-poly1305@openssh.com +Ciphers chacha20-poly1305@openssh.com{% +if use_aes256-ctr %},aes256-ctr{% endif %} # Message authentication codes @@ -69,7 +71,8 @@ Ciphers chacha20-poly1305@openssh.com # hmac-sha2-256, # hmac-ripemd160, # umac-128@openssh.com -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com{% +if use_hmac-sha2-512 %},hmac-sha2-512{% endif %} # Allow client to pass locale environment variables