sshd: Disable CentOS 8+ crypto policies for sshd
This commit is contained in:
parent
6858706c0b
commit
282fbcb932
1 changed files with 11 additions and 0 deletions
|
|
@ -1,11 +1,22 @@
|
|||
---
|
||||
|
||||
|
||||
|
||||
# based on mozilla recommended settings
|
||||
# https://infosec.mozilla.org/guidelines/openssh.html
|
||||
#
|
||||
# * prefer aes over chacha for hardware acceleration
|
||||
# * use only ed25519 host key
|
||||
#
|
||||
- name: disable default crypto policy
|
||||
lineinfile:
|
||||
path: /etc/sysconfig/sshd
|
||||
regexp: '^(#\s+)?CRYPTO_POLICY='
|
||||
line: "CRYPTO_POLICY="
|
||||
notify: restart sshd
|
||||
when:
|
||||
- ansible_distribution == "CentOS"
|
||||
- ansible_distribution_version is version_compare("8", ">=")
|
||||
|
||||
- name: tighten ssh kex algorithm
|
||||
lineinfile:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue