fix: fix crypto policy integration
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Robert Kaussow 2022-09-18 22:21:56 +02:00
parent 62392d5ac9
commit da88ca9ce1
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
4 changed files with 8 additions and 9 deletions

View File

@ -43,7 +43,7 @@ sshd_max_sessions: 10
sshd_tcp_keep_alive: "yes" sshd_tcp_keep_alive: "yes"
sshd_use_dns: "no" sshd_use_dns: "no"
sshd_disable_crypto_policy: False sshd_crypto_policy_enabled: True
# @var sshd_challenge_response_authentication:description: > # @var sshd_challenge_response_authentication:description: >
# If you disable password auth you should disable ChallengeResponseAuth also. # If you disable password auth you should disable ChallengeResponseAuth also.

View File

@ -2,7 +2,7 @@
- name: Gather package facts - name: Gather package facts
package_facts: package_facts:
check_mode: False check_mode: False
when: sshd_disable_crypto_policy | bool when: not sshd_crypto_policy_enabled | bool
- block: - block:
- name: Hardening sshd config - name: Hardening sshd config
@ -27,7 +27,7 @@
notify: __sshd_restart notify: __sshd_restart
when: __sshd_register_moduli.stdout when: __sshd_register_moduli.stdout
- name: Create SSH Usergroup - name: Create SSH usergroup
group: group:
name: "{{ item }}" name: "{{ item }}"
state: present state: present
@ -40,8 +40,6 @@
owner: root owner: root
group: root group: root
mode: 0640 mode: 0640
when: when: 'crypto-policies' in ansible_facts.packages
- sshd_disable_crypto_policy | bool
- ('crypto-policies' in ansible_facts.packages)
become: True become: True
become_user: root become_user: root

View File

@ -31,7 +31,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
{% if not sshd_disable_crypto_policy | bool %} {% if sshd_crypto_policy_enabled | bool %}
# This system is following system-wide crypto policy. The changes to # This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here. # crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server # They will be overridden by command-line options passed to the server

View File

@ -14,7 +14,8 @@
SSH_USE_STRONG_RNG=0 SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1 # SSH_USE_STRONG_RNG=1
{% if not sshd_crypto_policy_enabled | bool %}
# System-wide crypto policy: # Disable system-wide crypto policy
# To opt-out, uncomment the following line
CRYPTO_POLICY= CRYPTO_POLICY=
{% endif %}