feat: explicitely configure crypto policy to disable weak ciphers and kex algorithms in SSH

75ad2e61 · Jörg Sachse · bc6e9d8e · 75ad2e61 · 75ad2e61
Verified Commit 75ad2e61 authored 4 weeks ago by Jörg Sachse
--- a/tasks/configure_crypto_policy.yml
+++ b/tasks/configure_crypto_policy.yml
+---
+- name: Get crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --show"
+  register: crypto_policy
+  changed_when: false
+- name: Set crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --set FUTURE"
+  when: "'FUTURE' in crypto_policy.stdout"
+  notify:
+    - "restart sshd"
+    # The best soluion would be to reboot the server, but we won't do that for availability.
+  changed_when: false
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,11 @@
  ansible.builtin.import_tasks: "configure_ssh_hardening.yml"
  tags: [ssh]
+- name: Configure crypto policy. Settings in /etc/ssh/sshd_config keep getting overwritten if the crypto policy remains at Default.
+  ansible.builtin.import_tasks: "configure_crypto_policy.yml"
+  when: ansible_os_family == "RedHat"   # Debian doesn't use crypto-policy
+  tags: [ssh, cryptopolicy, crypto-policy, crypto_policy, cipher, kex]
 - name: configure fail2ban
  ansible.builtin.import_tasks: "configure_fail2ban.yml"
  tags: [fail2ban, ssh]