fix: fix crypto policy integration
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Robert Kaussow 2022-09-18 22:21:56 +02:00
parent 62392d5ac9
commit da88ca9ce1
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
4 changed files with 8 additions and 9 deletions

View File

@ -43,7 +43,7 @@ sshd_max_sessions: 10
sshd_tcp_keep_alive: "yes"
sshd_use_dns: "no"
sshd_disable_crypto_policy: False
sshd_crypto_policy_enabled: True
# @var sshd_challenge_response_authentication:description: >
# If you disable password auth you should disable ChallengeResponseAuth also.

View File

@ -2,7 +2,7 @@
- name: Gather package facts
package_facts:
check_mode: False
when: sshd_disable_crypto_policy | bool
when: not sshd_crypto_policy_enabled | bool
- block:
- name: Hardening sshd config
@ -27,7 +27,7 @@
notify: __sshd_restart
when: __sshd_register_moduli.stdout
- name: Create SSH Usergroup
- name: Create SSH usergroup
group:
name: "{{ item }}"
state: present
@ -40,8 +40,6 @@
owner: root
group: root
mode: 0640
when:
- sshd_disable_crypto_policy | bool
- ('crypto-policies' in ansible_facts.packages)
when: 'crypto-policies' in ansible_facts.packages
become: True
become_user: root

View File

@ -31,7 +31,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
{% if not sshd_disable_crypto_policy | bool %}
{% if sshd_crypto_policy_enabled | bool %}
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server

View File

@ -14,7 +14,8 @@
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
{% if not sshd_crypto_policy_enabled | bool %}
# System-wide crypto policy:
# To opt-out, uncomment the following line
# Disable system-wide crypto policy
CRYPTO_POLICY=
{% endif %}