ansible-personal/roles/common/tasks/sshd.yml

---

# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config
  template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
  when: ansible_distribution == 'Debian'
  notify: reload sshd

# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config
  template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
  when: ansible_distribution == 'Ubuntu'
  notify: reload sshd

# See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli
  block:
    - name: Check unsafe Diffie-Hellman SSH moduli
      ansible.builtin.shell:
        cmd: awk '$5 < 3071' moduli
        chdir: /etc/ssh
        creates: moduli.safe
      register: check_unsafe_moduli

    - name: Extract safe Diffie-Hellman SSH moduli
      ansible.builtin.shell:
        cmd: awk '$5 >= 3071' moduli > moduli.safe
        chdir: /etc/ssh
        creates: moduli.safe
      when: check_unsafe_moduli.stdout | length > 0
      register: extract_safe_moduli

    - name: Replace unsafe Diffie-Hellman SSH moduli
      ansible.builtin.command:
        cmd: mv moduli.safe moduli
        chdir: /etc/ssh
      register: replace_small_moduli
      when: extract_safe_moduli is changed
      notify: reload sshd

- name: Remove DSA and ECDSA host keys
  file: name=/etc/ssh/{{ item }} state=absent
  loop:
    - ssh_host_dsa_key
    - ssh_host_dsa_key.pub
    - ssh_host_ecdsa_key
    - ssh_host_ecdsa_key.pub
  notify: reload sshd

# vim: set sw=2 ts=2: