From c8ba380f41d0c533a8fb3e83bcfdf8ba0526f321 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac+git@denkn.at>
Date: Mon, 25 Mar 2024 23:18:47 +0100
Subject: [PATCH] filter for supported Ciphers, KexAlgs and Macs - Prevents
 error-messages

---
 tasks/sshd_config.yml          | 29 +++++++++++++++++++++++++----
 templates/sshd-default.conf.j2 |  6 +++---
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/tasks/sshd_config.yml b/tasks/sshd_config.yml
index fd076ac..9c2d76c 100644
--- a/tasks/sshd_config.yml
+++ b/tasks/sshd_config.yml
@@ -5,8 +5,29 @@
   command: 'sshd -o "include /dev/null"'
   register: sshd_include_option_check
   failed_when: 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]'
-- set_fact:
+- name: Use only supported Ciphers, Kex Algorithms and Macs of the configured ones
+  set_fact:
+    sshd_ciphers_: '{{cd|join(",")}}'
+    sshd_kex_algorithms_: '{{kd|join(",")}}'
+    sshd_macs_: '{{md|join(",")}}'
     sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}'
+  vars:
+    ca: '{{ sshd_ciphers }}'
+    cb: '{{ ca | type_debug }}'
+    cc: '{% if "list" == cb %}{{ ca }}{% elif "str" == cb %}{{ ca.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
+    cd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') | intersect( cc) }}"
+    ka: '{{ sshd_kex_algorithms }}'
+    kb: '{{ ka | type_debug }}'
+    kc: '{% if "list" == kb %}{{ ka }}{% elif "str" == kb %}{{ ka.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
+    kd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') | intersect( kc) }}"
+    ma: '{{ sshd_macs }}'
+    mb: '{{ ma | type_debug }}'
+    mc: '{% if "list" == mb %}{{ ma }}{% elif "str" == mb %}{{ ma.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
+    md: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') | intersect( mc) }}"
+  failed_when:
+  - '[] == sshd_ciphers_'
+  - '[] == sshd_kex_algorithms_'
+  - '[] == sshd_macs_'
 - when: 'true == sshd_include_option'
   block:
   - name: '/etc/ssh/sshd_config.d'
@@ -45,9 +66,9 @@
       KerberosAuthentication: '{{sshd_kerberos_authentication}}'
       GSSAPIAuthentication:   '{{sshd_gssapi_authentication}}'
       TCPKeepAlive:           'yes'
-      #Ciphers:                '{{sshd_ciphers}}'
-      #MACs:                   '{{sshd_macs}}'
-      #KexAlgorithms:          '{{sshd_kex_algorithms}}'
+      Ciphers:                '{{sshd_ciphers_}}'
+      MACs:                   '{{sshd_macs_}}'
+      KexAlgorithms:          '{{sshd_kex_algorithms_}}'
   - name: sshd_config
     lineinfile:
       path:        /etc/ssh/sshd_config
diff --git a/templates/sshd-default.conf.j2 b/templates/sshd-default.conf.j2
index 5b5159e..f71a336 100644
--- a/templates/sshd-default.conf.j2
+++ b/templates/sshd-default.conf.j2
@@ -9,9 +9,9 @@ StrictModes            yes
 {%if sshd_kbdinteractive_authentication is defined%}KBDInteractiveAuthentication {{sshd_kbdinteractive_authentication}}{%endif%}
 {%if sshd_hostbased_authentication is defined%}HostbasedAuthentication {{sshd_hostbased_authentication}}{%endif%}
 TCPKeepAlive           yes
-Ciphers                {{sshd_ciphers}}
-MACs                   {{sshd_macs}}
-KexAlgorithms          {{sshd_kex_algorithms}}
+Ciphers                {{sshd_ciphers_}}
+MACs                   {{sshd_macs_}}
+KexAlgorithms          {{sshd_kex_algorithms_}}
 {%for k in sshd_host_keys%}
 HostKey                {{k}}
 {%endfor%}