foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sshd: Disable CentOS 8+ crypto policies for sshd

Browse source
This commit is contained in:
Timo Makinen 2021-03-17 05:17:53 +00:00
parent 6858706c0b
commit 282fbcb932
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
roles/sshd/tasks/main.yml
View file

@ -1,11 +1,22 @@
--- ---
# based on mozilla recommended settings # based on mozilla recommended settings
# https://infosec.mozilla.org/guidelines/openssh.html # https://infosec.mozilla.org/guidelines/openssh.html
# #
# * prefer aes over chacha for hardware acceleration # * prefer aes over chacha for hardware acceleration
# * use only ed25519 host key # * use only ed25519 host key
# #
- name: disable default crypto policy
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^(#\s+)?CRYPTO_POLICY='
line: "CRYPTO_POLICY="
notify: restart sshd
when:
- ansible_distribution == "CentOS"
- ansible_distribution_version is version_compare("8", ">=")
- name: tighten ssh kex algorithm - name: tighten ssh kex algorithm
lineinfile: lineinfile: