deac/ansible-role-system
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

filter for supported Ciphers, KexAlgs and Macs - Prevents error-messages

Browse source
This commit is contained in:
Denis Knauf 2024-03-25 23:18:47 +01:00
parent 3346bd0e08
commit c8ba380f41
2 changed files with 28 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
tasks/sshd_config.yml
View file

@ -5,8 +5,29 @@
command: 'sshd -o "include /dev/null"' command: 'sshd -o "include /dev/null"'
register: sshd_include_option_check register: sshd_include_option_check
failed_when: 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]' failed_when: 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]'
- set_fact: - name: Use only supported Ciphers, Kex Algorithms and Macs of the configured ones
set_fact:
sshd_ciphers_: '{{cd|join(",")}}'
sshd_kex_algorithms_: '{{kd|join(",")}}'
sshd_macs_: '{{md|join(",")}}'
sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}' sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}'
vars:
ca: '{{ sshd_ciphers }}'
cb: '{{ ca | type_debug }}'
cc: '{% if "list" == cb %}{{ ca }}{% elif "str" == cb %}{{ ca.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
cd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q cipher').split( '\n') | intersect( cc) }}"
ka: '{{ sshd_kex_algorithms }}'
kb: '{{ ka | type_debug }}'
kc: '{% if "list" == kb %}{{ ka }}{% elif "str" == kb %}{{ ka.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
kd: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q kex').split( '\n') | intersect( kc) }}"
ma: '{{ sshd_macs }}'
mb: '{{ ma | type_debug }}'
mc: '{% if "list" == mb %}{{ ma }}{% elif "str" == mb %}{{ ma.split( ",") }}{%else%}{{null|mandatory()}}{% endif %}'
md: "{{ lookup( 'ansible.builtin.pipe', 'ssh -Q mac').split( '\n') | intersect( mc) }}"
failed_when:
- '[] == sshd_ciphers_'
- '[] == sshd_kex_algorithms_'
- '[] == sshd_macs_'
- when: 'true == sshd_include_option' - when: 'true == sshd_include_option'
block: block:
- name: '/etc/ssh/sshd_config.d' - name: '/etc/ssh/sshd_config.d'
@ -45,9 +66,9 @@
KerberosAuthentication: '{{sshd_kerberos_authentication}}' KerberosAuthentication: '{{sshd_kerberos_authentication}}'
GSSAPIAuthentication: '{{sshd_gssapi_authentication}}' GSSAPIAuthentication: '{{sshd_gssapi_authentication}}'
TCPKeepAlive: 'yes' TCPKeepAlive: 'yes'
#Ciphers: '{{sshd_ciphers}}' Ciphers: '{{sshd_ciphers_}}'
#MACs: '{{sshd_macs}}' MACs: '{{sshd_macs_}}'
#KexAlgorithms: '{{sshd_kex_algorithms}}' KexAlgorithms: '{{sshd_kex_algorithms_}}'
- name: sshd_config - name: sshd_config
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config

6
templates/sshd-default.conf.j2
View file

@ -9,9 +9,9 @@ StrictModes yes
{%if sshd_kbdinteractive_authentication is defined%}KBDInteractiveAuthentication {{sshd_kbdinteractive_authentication}}{%endif%} {%if sshd_kbdinteractive_authentication is defined%}KBDInteractiveAuthentication {{sshd_kbdinteractive_authentication}}{%endif%}
{%if sshd_hostbased_authentication is defined%}HostbasedAuthentication {{sshd_hostbased_authentication}}{%endif%} {%if sshd_hostbased_authentication is defined%}HostbasedAuthentication {{sshd_hostbased_authentication}}{%endif%}
TCPKeepAlive yes TCPKeepAlive yes
Ciphers {{sshd_ciphers}} Ciphers {{sshd_ciphers_}}
MACs {{sshd_macs}} MACs {{sshd_macs_}}
KexAlgorithms {{sshd_kex_algorithms}} KexAlgorithms {{sshd_kex_algorithms_}}
{%for k in sshd_host_keys%} {%for k in sshd_host_keys%}
HostKey {{k}} HostKey {{k}}
{%endfor%} {%endfor%}