--- - name: Gather package facts package_facts: check_mode: False when: not sshd_crypto_policy_enabled | bool - block: - name: Hardening sshd config template: src: etc/ssh/sshd_config.j2 dest: /etc/ssh/sshd_config owner: root group: root mode: 0600 notify: __sshd_restart - name: Check if /etc/ssh/moduli contains weak DH parameters shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli register: __sshd_register_moduli changed_when: False check_mode: no - name: Remove all small primes shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true notify: __sshd_restart when: __sshd_register_moduli.stdout - name: Create SSH usergroup group: name: "{{ item }}" state: present loop: "{{ sshd_allow_groups }}" - name: Disable SSH server CRYPTO_POLICY template: src: etc/sysconfig/sshd.j2 dest: /etc/sysconfig/sshd owner: root group: root mode: 0640 when: 'crypto-policies' in ansible_facts.packages become: True become_user: root