roles/common: Disable unsafe Diffie-Hellman SSH moduli

The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/

roles/common/tasks/sshd.yml

@@ -13,6 +13,32 @@
   when: ansible_distribution == 'Ubuntu'
   notify: reload sshd
 
+# See: WeakDH (2015): https://weakdh.org/sysadmin.html
+- name: Remove small Diffie-Hellman SSH moduli
+  block:
+    - name: Check unsafe Diffie-Hellman SSH moduli
+      ansible.builtin.shell:
+        cmd: awk '$5 < 3071' moduli
+        chdir: /etc/ssh
+        creates: moduli.safe
+      register: check_unsafe_moduli
+
+    - name: Extract safe Diffie-Hellman SSH moduli
+      ansible.builtin.shell:
+        cmd: awk '$5 >= 3071' moduli > moduli.safe
+        chdir: /etc/ssh
+        creates: moduli.safe
+      when: check_unsafe_moduli.stdout | length > 0
+      register: extract_safe_moduli
+
+    - name: Replace unsafe Diffie-Hellman SSH moduli
+      ansible.builtin.command:
+        cmd: mv moduli.safe moduli
+        chdir: /etc/ssh
+      register: replace_small_moduli
+      when: extract_safe_moduli is changed
+      notify: reload sshd
+
 - name: Remove DSA and ECDSA host keys
   file: name=/etc/ssh/{{ item }} state=absent
   loop: