diff --git a/tasks/main.yml b/tasks/main.yml index 91bd2cf..89a6922 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,6 +51,7 @@ creates: 'ssh_host_ed25519_key.pub' notify: - restart ssh + when: ansible_distribution_release != 'wheezy' - name: Remove unwanted host keys become: yes @@ -62,7 +63,9 @@ - dsa notify: - restart ssh - when: generate_ecdsa_too|bool + when: + - generate_ecdsa_too|bool + - ansible_distribution_release != 'wheezy' - name: Remove unwanted host keys become: yes @@ -75,7 +78,9 @@ - dsa notify: - restart ssh - when: not generate_ecdsa_too|bool + when: + - not generate_ecdsa_too|bool + - ansible_distribution_release != 'wheezy' - name: make sure the correct keys are available file: @@ -88,7 +93,9 @@ - dsa notify: - restart ssh - when: not generate_ecdsa_too|bool + when: + - not generate_ecdsa_too|bool + - ansible_distribution_release != 'wheezy' - name: make sure the correct keys are available except ecdsa file: @@ -100,4 +107,6 @@ - dsa notify: - restart ssh - when: generate_ecdsa_too|bool + when: + - generate_ecdsa_too|bool + - ansible_distribution_release != 'wheezy' diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 6ebc8af..5e3ab35 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -9,8 +9,14 @@ TCPKeepAlive yes # Key exchange #KexAlgorithms curve25519-sha256@libssh.org, # diffie-hellman-group-exchange-sha256 -KexAlgorithms curve25519-sha256@libssh.org{% -if use_diffie_hellman_group_exchange_sha256 %},diffie-hellman-group-exchange-sha256{% endif %} +{% if ansible_distribution_release == 'wheezy' -%} + KexAlgorithms diffie-hellman-group-exchange-sha256 +{%- else -%} + KexAlgorithms diffie-hellman-group-exchange-sha256 + {%- if use_diffie_hellman_group_exchange_sha256 -%} + ,diffie-hellman-group-exchange-sha256 + {%- endif -%} +{%- endif %} # Server authentication Protocol 2 @@ -53,8 +59,14 @@ endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # aes256-ctr, # aes192-ctr, # aes128-ctr -Ciphers chacha20-poly1305@openssh.com{% -if use_aes256_ctr %},aes256-ctr{% endif %} +{% if ansible_distribution_release == 'wheezy' -%} + Ciphers aes192-ctr,aes256-ctr,arcfour256 +{%- else -%} + Ciphers chacha20-poly1305@openssh.com + {%- if use_aes256_ctr -%} + ,aes256-ctr + {%- endif -%} +{%- endif %} # Message authentication codes @@ -66,9 +78,14 @@ if use_aes256_ctr %},aes256-ctr{% endif %} # hmac-sha2-256, # hmac-ripemd160, # umac-128@openssh.com -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com{% -if use_hmac_sha2_512 %},hmac-sha2-512{% endif %} - +{% if ansible_distribution_release == 'wheezy' -%} + MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +{%- else -%} + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + {%- if use_hmac_sha2_512 -%} + ,hmac-sha2-512 + {%- endif -%} +{%- endif %} # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/vars/main.yml b/vars/main.yml index 9b8cf12..1e8a365 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,3 @@ --- -playbook_version_number: 123 +playbook_version_number: 1024 # should be over ninethousand playbook_version_path: '/etc/ansible-version/role-sshd_chaos-bodensee_github.com.version'