From 282fbcb932a4d4a060facdc82a09ea55134acdf5 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 17 Mar 2021 05:17:53 +0000
Subject: [PATCH] sshd: Disable CentOS 8+ crypto policies for sshd

---
 roles/sshd/tasks/main.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 521a831..aebd373 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,11 +1,22 @@
 ---
 
+
+
 # based on mozilla recommended settings
 #   https://infosec.mozilla.org/guidelines/openssh.html
 #
 #   * prefer aes over chacha for hardware acceleration
 #   * use only ed25519 host key
 #
+- name: disable default crypto policy
+  lineinfile:
+    path: /etc/sysconfig/sshd
+    regexp: '^(#\s+)?CRYPTO_POLICY='
+    line: "CRYPTO_POLICY="
+  notify: restart sshd
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_version is version_compare("8", ">=")
 
 - name: tighten ssh kex algorithm
   lineinfile: