improve support for legacy os

tasks/main.yml

@@ -51,6 +51,7 @@
     creates: 'ssh_host_ed25519_key.pub'
   notify:
     - restart ssh
+  when: ansible_distribution_release != 'wheezy'
 
 - name: Remove unwanted host keys
   become: yes
@@ -62,7 +63,9 @@
     - dsa
   notify:
     - restart ssh
-  when: generate_ecdsa_too|bool
+  when:
+    - generate_ecdsa_too|bool
+    - ansible_distribution_release != 'wheezy'
 
 - name: Remove unwanted host keys
   become: yes
@@ -75,7 +78,9 @@
     - dsa
   notify:
     - restart ssh
-  when: not generate_ecdsa_too|bool
+  when:
+    - not generate_ecdsa_too|bool
+    - ansible_distribution_release != 'wheezy'
 
 - name: make sure the correct keys are available
   file:
@@ -88,7 +93,9 @@
     - dsa
   notify:
     - restart ssh
-  when: not generate_ecdsa_too|bool
+  when:
+    - not generate_ecdsa_too|bool
+    - ansible_distribution_release != 'wheezy'
 
 - name: make sure the correct keys are available except ecdsa
   file:
@@ -100,4 +107,6 @@
     - dsa
   notify:
     - restart ssh
-  when: generate_ecdsa_too|bool
+  when:
+    - generate_ecdsa_too|bool
+    - ansible_distribution_release != 'wheezy'

templates/sshd_config.j2

@@ -9,8 +9,14 @@ TCPKeepAlive yes
 # Key exchange
 #KexAlgorithms curve25519-sha256@libssh.org,
 #              diffie-hellman-group-exchange-sha256
-KexAlgorithms curve25519-sha256@libssh.org{%
+{% if ansible_distribution_release == 'wheezy' -%}
-if use_diffie_hellman_group_exchange_sha256 %},diffie-hellman-group-exchange-sha256{% endif %}
+  KexAlgorithms diffie-hellman-group-exchange-sha256
+{%- else -%}
+  KexAlgorithms diffie-hellman-group-exchange-sha256
+  {%- if use_diffie_hellman_group_exchange_sha256 -%}
+    ,diffie-hellman-group-exchange-sha256
+  {%- endif -%}
+{%- endif %}
 
 # Server authentication
 Protocol 2
@@ -53,8 +59,14 @@ endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
 #        aes256-ctr,
 #        aes192-ctr,
 #        aes128-ctr
-Ciphers chacha20-poly1305@openssh.com{%
+{% if ansible_distribution_release == 'wheezy' -%}
-if use_aes256_ctr %},aes256-ctr{% endif %}
+  Ciphers aes192-ctr,aes256-ctr,arcfour256
+{%- else -%}
+  Ciphers chacha20-poly1305@openssh.com
+  {%- if use_aes256_ctr -%}
+    ,aes256-ctr
+  {%- endif -%}
+{%- endif %}
 
 
 # Message authentication codes
@@ -66,9 +78,14 @@ if use_aes256_ctr %},aes256-ctr{% endif %}
 #     hmac-sha2-256,
 #     hmac-ripemd160,
 #     umac-128@openssh.com
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com{%
+{% if ansible_distribution_release == 'wheezy' -%}
-if use_hmac_sha2_512 %},hmac-sha2-512{% endif %}
+  MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
-
+{%- else -%}
+  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+  {%- if use_hmac_sha2_512 -%}
+    ,hmac-sha2-512
+  {%- endif -%}
+{%- endif %}
 
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*

vars/main.yml

@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 123
+playbook_version_number: 1024 # should be over ninethousand
 playbook_version_path: '/etc/ansible-version/role-sshd_chaos-bodensee_github.com.version'