fix: fix crypto policy integration
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
62392d5ac9
commit
da88ca9ce1
@ -43,7 +43,7 @@ sshd_max_sessions: 10
|
||||
sshd_tcp_keep_alive: "yes"
|
||||
sshd_use_dns: "no"
|
||||
|
||||
sshd_disable_crypto_policy: False
|
||||
sshd_crypto_policy_enabled: True
|
||||
|
||||
# @var sshd_challenge_response_authentication:description: >
|
||||
# If you disable password auth you should disable ChallengeResponseAuth also.
|
||||
|
@ -2,7 +2,7 @@
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
check_mode: False
|
||||
when: sshd_disable_crypto_policy | bool
|
||||
when: not sshd_crypto_policy_enabled | bool
|
||||
|
||||
- block:
|
||||
- name: Hardening sshd config
|
||||
@ -27,7 +27,7 @@
|
||||
notify: __sshd_restart
|
||||
when: __sshd_register_moduli.stdout
|
||||
|
||||
- name: Create SSH Usergroup
|
||||
- name: Create SSH usergroup
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
@ -40,8 +40,6 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
when:
|
||||
- sshd_disable_crypto_policy | bool
|
||||
- ('crypto-policies' in ansible_facts.packages)
|
||||
when: 'crypto-policies' in ansible_facts.packages
|
||||
become: True
|
||||
become_user: root
|
||||
|
@ -31,7 +31,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
{% if not sshd_disable_crypto_policy | bool %}
|
||||
{% if sshd_crypto_policy_enabled | bool %}
|
||||
# This system is following system-wide crypto policy. The changes to
|
||||
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
|
||||
# They will be overridden by command-line options passed to the server
|
||||
|
@ -14,7 +14,8 @@
|
||||
|
||||
SSH_USE_STRONG_RNG=0
|
||||
# SSH_USE_STRONG_RNG=1
|
||||
{% if not sshd_crypto_policy_enabled | bool %}
|
||||
|
||||
# System-wide crypto policy:
|
||||
# To opt-out, uncomment the following line
|
||||
# Disable system-wide crypto policy
|
||||
CRYPTO_POLICY=
|
||||
{% endif %}
|
||||
|
Loading…
Reference in New Issue
Block a user