source: main/waeup-ansible/roles/openssh/tasks/main.yml @ 13994

---
# tasks to enable secure OpenSSH server config
- name: "sshd_config - disable weak keys"
  lineinfile:
    dest=/etc/ssh/sshd_config
    backrefs=yes
    line={{ item.line }}
    regexp={{ item.regexp }}
  with_items:
    - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
        line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
    - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
        line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
  notify: "restart sshd"

- name: "sshd_config - set key bits to 4096"
  lineinfile:
    dest=/etc/ssh/sshd_config
    backrefs=yes
    line='ServerKeyBits 4096'
    regexp='^ServerKeyBits 1024'
    state=present
  notify: "restart sshd"

- name: "sshd_config - set secure ciphers from bettercrypto.org"
  lineinfile:
    dest=/etc/ssh/sshd_config
    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
    state=present
  notify: "restart sshd"

- name: "sshd_config - set secure MACs from bettercrypto.org"
  lineinfile:
    dest=/etc/ssh/sshd_config
    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
    state=present
  notify: "restart sshd"

- name: "sshd_config - set secure kex algos from bettercrypto.org"
  lineinfile:
    dest=/etc/ssh/sshd_config
    line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
    state=present
  notify: "restart sshd"

- name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
  replace:
    dest=/etc/ssh/moduli
    regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
  notify: "restart sshd"