52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
---
|
|
|
|
# SSH configs don't change in Debian minor versions
|
|
- name: Reconfigure /etc/ssh/sshd_config
|
|
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
|
|
when: ansible_distribution == 'Debian'
|
|
notify: reload sshd
|
|
|
|
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
|
|
# ie with new ciphers supported etc.
|
|
- name: Reconfigure /etc/ssh/sshd_config
|
|
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
|
|
when: ansible_distribution == 'Ubuntu'
|
|
notify: reload sshd
|
|
|
|
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
|
|
- name: Remove small Diffie-Hellman SSH moduli
|
|
block:
|
|
- name: Check unsafe Diffie-Hellman SSH moduli
|
|
ansible.builtin.shell:
|
|
cmd: awk '$5 < 3071' moduli
|
|
chdir: /etc/ssh
|
|
creates: moduli.safe
|
|
register: check_unsafe_moduli
|
|
|
|
- name: Extract safe Diffie-Hellman SSH moduli
|
|
ansible.builtin.shell:
|
|
cmd: awk '$5 >= 3071' moduli > moduli.safe
|
|
chdir: /etc/ssh
|
|
creates: moduli.safe
|
|
when: check_unsafe_moduli.stdout | length > 0
|
|
register: extract_safe_moduli
|
|
|
|
- name: Replace unsafe Diffie-Hellman SSH moduli
|
|
ansible.builtin.command:
|
|
cmd: mv moduli.safe moduli
|
|
chdir: /etc/ssh
|
|
register: replace_small_moduli
|
|
when: extract_safe_moduli is changed
|
|
notify: reload sshd
|
|
|
|
- name: Remove DSA and ECDSA host keys
|
|
ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
|
|
loop:
|
|
- ssh_host_dsa_key
|
|
- ssh_host_dsa_key.pub
|
|
- ssh_host_ecdsa_key
|
|
- ssh_host_ecdsa_key.pub
|
|
notify: reload sshd
|
|
|
|
# vim: set sw=2 ts=2:
|