--- - name: Gather package facts ansible.builtin.package_facts: check_mode: False - name: Hardening sshd config ansible.builtin.template: src: etc/ssh/sshd_config.j2 dest: /etc/ssh/sshd_config owner: root group: root mode: "0600" notify: __sshd_restart - name: Check if /etc/ssh/moduli contains weak DH parameters ansible.builtin.shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli register: __sshd_register_moduli changed_when: False check_mode: False - name: Remove all small primes ansible.builtin.shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true register: __sshd_register_moduli changed_when: __sshd_register_moduli.rc != 0 notify: __sshd_restart when: __sshd_register_moduli.stdout - name: Create SSH usergroup ansible.builtin.group: name: "{{ item }}" state: present loop: "{{ sshd_allow_groups }}" - name: Configure SSH crypto policy usage ansible.builtin.template: src: etc/sysconfig/sshd.j2 dest: /etc/sysconfig/sshd owner: root group: root mode: "0640" when: ('crypto-policies' in ansible_facts.packages) - name: Ensure seport matches sshd config community.general.seport: ports: "{{ sshd_port }}" proto: "tcp" setype: "ssh_port_t" state: "present" when: - ansible_selinux is defined - ansible_selinux.status == "enabled"