From 478d5d1bd7e1d7b6307c3e4ae5c57b2e05d66e02 Mon Sep 17 00:00:00 2001 From: Denis Knauf Date: Sun, 17 Nov 2024 12:21:51 +0100 Subject: [PATCH] ciphers, macs, kexs fix up and sorted list --- tasks/sshd_config.yml | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/tasks/sshd_config.yml b/tasks/sshd_config.yml index 4054ae6..5df3f34 100644 --- a/tasks/sshd_config.yml +++ b/tasks/sshd_config.yml @@ -9,27 +9,30 @@ - name: Use only supported Ciphers, Kex Algorithms and Macs of the configured ones tags: sshd set_fact: - sshd_ciphers_: '{{cd|join(",")}}' - sshd_kex_algorithms_: '{{kd|join(",")}}' - sshd_macs_: '{{md|join(",")}}' + sshd_ciphers_: '{{ce | sort() | join( ",")}}' + sshd_kex_algorithms_: '{{ke | sort() | join( ",")}}' + sshd_macs_: '{{me | sort() | join( ",")}}' sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}' vars: ca: '{{ sshd_ciphers }}' cb: '{{ ca | type_debug }}' - cc: '{% if "list" == cb %}{{ ca }}{% elif "str" == cb %}{{ ca.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}' - cd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') | intersect( cc) }}" + cc: '{% if "list" == cb %}{{ ca }}{% elif "str" == cb or "AnsibleUnicode" == cb %}{{ ca.split( ",") }}{%else%}{{undef|mandatory()}}{% endif %}' + cd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') }}" + ce: "{{ cd | intersect( cc) }}" ka: '{{ sshd_kex_algorithms }}' kb: '{{ ka | type_debug }}' - kc: '{% if "list" == kb %}{{ ka }}{% elif "str" == kb %}{{ ka.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}' - kd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') | intersect( kc) }}" + kc: '{% if "list" == kb %}{{ ka }}{% elif "str" == kb or "AnsibleUnicode" == kb %}{{ ka.split( ",") }}{%else%}{{undef|mandatory()}}{% endif %}' + kd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') }}" + ke: "{{ kd | intersect( kc) }}" ma: '{{ sshd_macs }}' mb: '{{ ma | type_debug }}' - mc: '{% if "list" == mb %}{{ ma }}{% elif "str" == mb %}{{ ma.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}' - md: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') | intersect( mc) }}" + mc: '{% if "list" == mb %}{{ ma }}{% elif "str" == mb or "AnsibleUnicode" == mb %}{{ ma.split( ",") }}{%else%}{{undef|mandatory()}}{% endif %}' + md: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') }}" + me: "{{ md | intersect( mc) }}" failed_when: - - '[] == sshd_ciphers_' - - '[] == sshd_kex_algorithms_' - - '[] == sshd_macs_' + - '"" == sshd_ciphers_' + - '"" == sshd_kex_algorithms_' + - '"" == sshd_macs_' - when: 'true == sshd_include_option' tags: sshd block: