deac/ansible-role-system
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

ciphers, macs, kexs fix up and sorted list

Browse source
This commit is contained in:
Denis Knauf 2024-11-17 12:21:51 +01:00
parent 49b302d981
commit 478d5d1bd7
1 changed files with 15 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
tasks/sshd_config.yml
View file

@ -9,27 +9,30 @@
- name: Use only supported Ciphers, Kex Algorithms and Macs of the configured ones - name: Use only supported Ciphers, Kex Algorithms and Macs of the configured ones
tags: sshd tags: sshd
set_fact: set_fact:
sshd_ciphers_: '{{cd|join(",")}}' sshd_ciphers_: '{{ce | sort() | join( ",")}}'
sshd_kex_algorithms_: '{{kd|join(",")}}' sshd_kex_algorithms_: '{{ke | sort() | join( ",")}}'
sshd_macs_: '{{md|join(",")}}' sshd_macs_: '{{me | sort() | join( ",")}}'
sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}' sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}'
vars: vars:
ca: '{{ sshd_ciphers }}' ca: '{{ sshd_ciphers }}'
cb: '{{ ca | type_debug }}' cb: '{{ ca | type_debug }}'
cc: '{% if "list" == cb %}{{ ca }}{% elif "str" == cb %}{{ ca.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}' cc: '{% if "list" == cb %}{{ ca }}{% elif "str" == cb or "AnsibleUnicode" == cb %}{{ ca.split( ",") }}{%else%}{{undef|mandatory()}}{% endif %}'
cd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') | intersect( cc) }}" cd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') }}"
ce: "{{ cd | intersect( cc) }}"
ka: '{{ sshd_kex_algorithms }}' ka: '{{ sshd_kex_algorithms }}'
kb: '{{ ka | type_debug }}' kb: '{{ ka | type_debug }}'
kc: '{% if "list" == kb %}{{ ka }}{% elif "str" == kb %}{{ ka.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}' kc: '{% if "list" == kb %}{{ ka }}{% elif "str" == kb or "AnsibleUnicode" == kb %}{{ ka.split( ",") }}{%else%}{{undef|mandatory()}}{% endif %}'
kd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') | intersect( kc) }}" kd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') }}"
ke: "{{ kd | intersect( kc) }}"
ma: '{{ sshd_macs }}' ma: '{{ sshd_macs }}'
mb: '{{ ma | type_debug }}' mb: '{{ ma | type_debug }}'
mc: '{% if "list" == mb %}{{ ma }}{% elif "str" == mb %}{{ ma.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}' mc: '{% if "list" == mb %}{{ ma }}{% elif "str" == mb or "AnsibleUnicode" == mb %}{{ ma.split( ",") }}{%else%}{{undef|mandatory()}}{% endif %}'
md: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') | intersect( mc) }}" md: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') }}"
me: "{{ md | intersect( mc) }}"
failed_when: failed_when:
- '[] == sshd_ciphers_' - '"" == sshd_ciphers_'
- '[] == sshd_kex_algorithms_' - '"" == sshd_kex_algorithms_'
- '[] == sshd_macs_' - '"" == sshd_macs_'
- when: 'true == sshd_include_option' - when: 'true == sshd_include_option'
tags: sshd tags: sshd
block: block: