fix: use correct syntax to disable insecure HostKeyAlgorithms, KexAlgorithms and Ciphers

87702866 · Jörg Sachse · c15ae893 · 87702866
Commit 87702866 authored 3 years ago by Jörg Sachse
--- a/tasks/configure-ssh-hardening.yml
+++ b/tasks/configure-ssh-hardening.yml
@@ -50,12 +50,12 @@
      {{ "PasswordAuthentication no" if ansible_os_family == "Debian" else "PasswordAuthentication yes" }}
      # disable weak host key algorithm ssh-dss (Digital Signature Algorithm (DSA) / Digital Signature Standard (DSS))
      # NVT OID: 1.3.6.1.4.1.25623.1.0.117687
-      HostKeyAlgorithms -ssh-dss
+      HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
      # disable weak KEX algorithms
      # NVT OID: 1.3.6.1.4.1.25623.1.0.150713
-      KexAlgorithms -diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
+      KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
      # disable weak Ciphers (crypto algorithms)
      # NVT OID: 1.3.6.1.4.1.25623.1.0.105611
-      Ciphers -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc
+      Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
  notify:
    - restart sshd