From a49a0c81f976cdb3cc7f9a12fffdbf4e24935663 Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Tue, 3 May 2022 19:04:58 +0200
Subject: [PATCH] Allow more configuration options for ssh options

---
 defaults/main.yml        |  2 ++
 templates/sshd_config.j2 | 64 +++++++++++++++++++---------------------
 vars/main.yml            |  2 +-
 3 files changed, 33 insertions(+), 35 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index da31856..36c386c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -51,6 +51,7 @@ sshd__kex_algorithmus:
   # - 'diffie-hellman-group14-sha1'
   # - 'diffie-hellman-group1-sha1'
 
+sshd__manage_ciphers: true
 sshd__ciphers:
   - 'chacha20-poly1305@openssh.com'
   - 'aes256-gcm@openssh.com'
@@ -59,6 +60,7 @@ sshd__ciphers:
   # - 'aes128-ctr'
   # - 'aes128-cbc'
 
+sshd__manage_macs: true
 sshd__macs:
   - 'hmac-sha2-512-etm@openssh.com'
   - 'hmac-sha2-256-etm@openssh.com'
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index 5a307e8..ebd536a 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -5,6 +5,7 @@
 # sshd_config(5) for more information.
 
 {% if sshd__version_is_above_eight | default(false) | bool %}
+# Include SSHD config snippets
 Include /etc/ssh/sshd_config.d/*.conf
 {% endif %}
 
@@ -16,58 +17,56 @@ AddressFamily any
 
 TCPKeepAlive yes
 
-{% if sshd__manage_key_algorithmus | bool %}
-# Key exchange
+# SSHD Key exchange
+# -> HostkeyAlgorithms
+{% if not sshd__manage_key_algorithmus | bool %}#{% endif -%}
 {{ 'HostkeyAlgorithms ' }}
 {%- for algo in sshd__key_algorithmus -%}
-{{ algo }}{{ "," if not loop.last }}
+  {{- algo -}}
+  {{- "," if not loop.last -}}
 {%- endfor %}
-{% endif %}
 
+# -> KexAlgorithms
+{% if not sshd__manage_kex_algorithmus | bool %}#{% endif -%}
 {{ 'KexAlgorithms ' }}
 {%- for algo in sshd__kex_algorithmus -%}
-{{ algo }}{{ "," if not loop.last }}
+  {{- algo -}}
+  {{- "," if not loop.last -}}
 {%- endfor %}
 
 
 # Ciphers and keying
-#RekeyLimit default none
-
+# RekeyLimit default none
+# -> Ciphers
+{% if not sshd__manage_ciphers | bool %}#{% endif -%}
 {{ 'Ciphers ' }}
 {%- for cipher in sshd__ciphers -%}
-{{ cipher }}{{ "," if not loop.last }}
+  {{- cipher -}}
+  {{- "," if not loop.last -}}
 {%- endfor %}
 
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
 
-
-# Macs
+# -> Macs
+{% if not sshd__manage_macs | bool %}#{% endif -%}
 {{ 'MACs ' }}
 {%- for mac in sshd__macs -%}
-{{ mac }}{{ "," if not loop.last }}
+  {{- mac -}}
+  {{- "," if not loop.last -}}
 {%- endfor %}
 
 # Server Authentication
 Protocol 2
 
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
 
-{% if sshd__manage_key_types | bool -%}
-# host key types
+# SSHD Host Keys
 {% for key in sshd__key_types %}
+# -> {{ key }}
+{% if not sshd__manage_key_types | bool %}#{% endif -%}
 HostKey /etc/ssh/ssh_host_{{ key }}_key
 {% endfor %}
-{%- endif %}
-
-{% if sshd__manage_kex_algorithmus | bool -%}
-# HostKeyAlgorithms
-# Maybe not available in openssh 6.7
-{{ 'HostKeyAlgorithms ' }}
-{%- for key in sshd__key_algorithmus -%}
-{{ key }}{{ "," if not loop.last }}
-{%- endfor %}
-{% endif %}
 
 
 # Client authentication
@@ -112,19 +111,16 @@ TCPKeepAlive yes
 UsePAM yes
 
 # User Authentication
-{% if sshd__restrict_users -%}
-  AllowUsers {{ sshd__allowed_users|join(' ') }}
-{% endif %}
+{% if not sshd__restrict_users -%}#{%- endif -%}
+AllowUsers {{ sshd__allowed_users|join(' ') }}
 
-{% if sshd__restrict_groups -%}
-  AllowGroups {{ sshd__allowed_groups|join(' ') }}
-{%- endif %}
+# Group Authentication
+{% if not sshd__restrict_groups -%}#{%- endif -%}
+AllowGroups {{ sshd__allowed_groups|join(' ') }}
 
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-PrintMotd no
-
 # sftp (required by ansible)
 # Subsystem sftp /usr/lib/openssh/sftp-server
 {% if ansible_os_family == 'RedHat' %}
diff --git a/vars/main.yml b/vars/main.yml
index f3b17d1..bfba715 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,5 +1,5 @@
 ---
-playbook_version_number: 5003
+playbook_version_number: 5004
 playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
 
 sshd__service_var_path: