dev-sec · rndmh3ro · Jul 9, 2020 · Jul 8, 2020 · Jul 9, 2020 · Jul 9, 2020
diff --git a/tasks/crypto.yml b/tasks/crypto.yml
diff --git a/tasks/crypto_ciphers.yml b/tasks/crypto_ciphers.yml
@@ -0,0 +1,10 @@
+---
+- name: set ciphers according to openssh-version if openssh >= 5.3
+  set_fact:
+    ssh_ciphers: '{{ ssh_ciphers_53_default }}'
+  when: sshd_version is version('5.3', '>=')
+
+- name: set ciphers according to openssh-version if openssh >= 6.6
+  set_fact:
+    ssh_ciphers: '{{ ssh_ciphers_66_default }}'
+  when: sshd_version is version('6.6', '>=')
diff --git a/tasks/crypto_hostkeys.yml b/tasks/crypto_hostkeys.yml
@@ -0,0 +1,15 @@
+---
+- name: set hostkeys according to openssh-version if openssh >= 5.3
+  set_fact:
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
+  when: sshd_version is version('5.3', '>=')
+
+- name: set hostkeys according to openssh-version if openssh >= 6.0
+  set_fact:
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
+  when: sshd_version is version('6.0', '>=')
+
+- name: set hostkeys according to openssh-version if openssh >= 6.3
+  set_fact:
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
+  when: sshd_version is version('6.3', '>=')
diff --git a/tasks/crypto_kex.yml b/tasks/crypto_kex.yml
@@ -0,0 +1,15 @@
+---
+- name: set kex according to openssh-version if openssh >= 5.9
+  set_fact:
+    ssh_kex: '{{ ssh_kex_59_default }}'
+  when: sshd_version is version('5.9', '>=')
+
+- name: set kex according to openssh-version if openssh >= 6.6
+  set_fact:
+    ssh_kex: '{{ ssh_kex_66_default }}'
+  when: sshd_version is version('6.6', '>=')
+
+- name: set kex according to openssh-version if openssh >= 8.0
+  set_fact:
+    ssh_kex: '{{ ssh_kex_80_default }}'
+  when: sshd_version is version('8.0', '>=')
diff --git a/tasks/crypto_macs.yml b/tasks/crypto_macs.yml
@@ -0,0 +1,27 @@
+---
+- name: set macs according to openssh-version if openssh >= 5.3
+  set_fact:
+    ssh_macs: '{{ ssh_macs_53_default }}'
+  when: sshd_version is version('5.3', '>=')
+
+- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
+  set_fact:
+    ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
+  when:
+    - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
+    - ansible_facts.distribution_version is version('6.5', '>=')
+
+- name: set macs according to openssh-version if openssh >= 5.9
+  set_fact:
+    ssh_macs: '{{ ssh_macs_59_default }}'
+  when: sshd_version is version('5.9', '>=')
+
+- name: set macs according to openssh-version if openssh >= 6.6
+  set_fact:
+    ssh_macs: '{{ ssh_macs_66_default }}'
+  when: sshd_version is version('6.6', '>=')
+
+- name: set macs according to openssh-version if openssh >= 7.6
+  set_fact:
+    ssh_macs: '{{ ssh_macs_76_default }}'
+  when: sshd_version is version('7.6', '>=')
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -17,8 +17,21 @@
   set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
-- name: include tasks to create crypto-vars
-  include_tasks: crypto.yml
+- name: set default for ssh_host_key_files if not supplied
+  include_tasks: crypto_hostkeys.yml
+  when: not ssh_host_key_files
+
+- name: set default for ssh_macs if not supplied
+  include_tasks: crypto_macs.yml
+  when: not ssh_macs
+
+- name: set default for ssh_ciphers if not supplied
+  include_tasks: crypto_ciphers.yml
+  when: not ssh_ciphers
+
+- name: set default for ssh_kex if not supplied
+  include_tasks: crypto_kex.yml
+  when: not ssh_kex
 
 - name: create revoked_keys and set permissions to root/600
   template: