From 75ad2e61ebe95790181e84e4e97b0e620c1875c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Fri, 23 May 2025 15:29:38 +0200
Subject: [PATCH] feat: explicitely configure crypto policy to disable weak
 ciphers and kex algorithms in SSH

---
 tasks/configure_crypto_policy.yml | 15 +++++++++++++++
 tasks/main.yml                    |  5 +++++
 2 files changed, 20 insertions(+)
 create mode 100644 tasks/configure_crypto_policy.yml

diff --git a/tasks/configure_crypto_policy.yml b/tasks/configure_crypto_policy.yml
new file mode 100644
index 0000000..2e96bf6
--- /dev/null
+++ b/tasks/configure_crypto_policy.yml
@@ -0,0 +1,15 @@
+---
+- name: Get crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --show"
+  register: crypto_policy
+  changed_when: false
+
+- name: Set crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --set FUTURE"
+  when: "'FUTURE' in crypto_policy.stdout"
+  notify:
+    - "restart sshd"
+    # The best soluion would be to reboot the server, but we won't do that for availability.
+  changed_when: false
diff --git a/tasks/main.yml b/tasks/main.yml
index 7afeceb..6267bec 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,11 @@
   ansible.builtin.import_tasks: "configure_ssh_hardening.yml"
   tags: [ssh]
 
+- name: Configure crypto policy. Settings in /etc/ssh/sshd_config keep getting overwritten if the crypto policy remains at Default.
+  ansible.builtin.import_tasks: "configure_crypto_policy.yml"
+  when: ansible_os_family == "RedHat"   # Debian doesn't use crypto-policy
+  tags: [ssh, cryptopolicy, crypto-policy, crypto_policy, cipher, kex]
+
 - name: configure fail2ban
   ansible.builtin.import_tasks: "configure_fail2ban.yml"
   tags: [fail2ban, ssh]
-- 
GitLab