xoxys.sshd/tasks/ssh_default.yml

54 lines
1.5 KiB
YAML
Raw Normal View History

2019-11-02 18:10:39 +00:00
---
- name: Gather package facts
2024-02-18 12:22:43 +00:00
ansible.builtin.package_facts:
check_mode: False
2024-02-18 12:22:43 +00:00
- name: Hardening sshd config
ansible.builtin.template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0600"
notify: __sshd_restart
2019-11-02 18:10:39 +00:00
2024-02-18 12:22:43 +00:00
- name: Check if /etc/ssh/moduli contains weak DH parameters
ansible.builtin.shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
register: __sshd_register_moduli
changed_when: False
check_mode: False
2019-11-02 18:10:39 +00:00
2024-02-18 12:22:43 +00:00
- name: Remove all small primes
ansible.builtin.shell:
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
register: __sshd_register_moduli
changed_when: __sshd_register_moduli.rc != 0
2024-02-18 12:22:43 +00:00
notify: __sshd_restart
when: __sshd_register_moduli.stdout
2019-11-02 18:10:39 +00:00
2024-02-18 12:22:43 +00:00
- name: Create SSH usergroup
ansible.builtin.group:
name: "{{ item }}"
state: present
loop: "{{ sshd_allow_groups }}"
2024-02-18 12:22:43 +00:00
- name: Configure SSH crypto policy usage
ansible.builtin.template:
src: etc/sysconfig/sshd.j2
dest: /etc/sysconfig/sshd
owner: root
group: root
mode: "0640"
when: ('crypto-policies' in ansible_facts.packages)
- name: Ensure seport matches sshd config
seport:
ports: "{{ sshd_port }}"
proto: "tcp"
setype: "ssh_port_t"
state: "present"
when:
- ansible_selinux is defined
- ansible_selinux.status == "enabled"