From 5de6b252cbf94674d63fd40282374e342babec86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Tue, 17 Dec 2024 16:29:16 +0100
Subject: [PATCH] fix: set empty CRYPTO_POLICY for sshd to make sure that SSH
 on RHEL respects the custom settings in sshd_config

---
 tasks/configure_ssh_hardening.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tasks/configure_ssh_hardening.yml b/tasks/configure_ssh_hardening.yml
index 780cff7..421c109 100644
--- a/tasks/configure_ssh_hardening.yml
+++ b/tasks/configure_ssh_hardening.yml
@@ -1,4 +1,16 @@
 ---
+# man update-crypto-policies for details
+- name: make sure that SSH on RHEL respects the custom settings in sshd_config
+  ansible.builtin.regex_replace:
+    path: "/etc/sysconfig/sshd"
+    regexp: "# CRYPTO_POLICY="
+    line: "CRYPTO_POLICY="
+  # Only RedHat has the `/etc/sysonfig/` directory structure, so don't run this
+  # on Debian machines.
+  when: ansible_os_family == "RedHat"
+  notify:
+    - restart sshd
+
 - name: Konfiguration für OpenSSH einspielen - gehärtete Config
   ansible.builtin.blockinfile:
     path: "/etc/ssh/sshd_config"
@@ -56,6 +68,7 @@
       KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
       # disable weak Ciphers (crypto algorithms)
       # NVT OID: 1.3.6.1.4.1.25623.1.0.105611
+      # NVT OID: 1.3.6.1.4.1.25623.1.0.105565
       # Also explicitely omit ChaCha ciphers for "Terrapin" (CVE-2023-48795)
       Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
       # Explicitely omit -ETM MACs for "Terrapin" (CVE-2023-48795)
-- 
GitLab