2021-10-11 20:58:09 +00:00
|
|
|
---
|
|
|
|
|
- name: 'Moduli: Check if "moduli.not-hardened" already exists'
|
|
|
|
|
stat:
|
|
|
|
|
path: "{{ ssh_hardening_moduli_backup }}"
|
|
|
|
|
register: ssh_hardening_moduli_backup_file
|
|
|
|
|
|
2021-10-12 07:40:00 +00:00
|
|
|
|
2021-10-11 20:58:09 +00:00
|
|
|
- name: 'Moduli: Backup "moduli.not-hardened"'
|
|
|
|
|
shell: 'cp -a {{ ssh_hardening_moduli }} {{ ssh_hardening_moduli_backup }}'
|
|
|
|
|
when: not ssh_hardening_moduli_backup_file.stat.exists
|
|
|
|
|
|
2021-10-12 07:40:00 +00:00
|
|
|
|
2021-10-11 20:58:09 +00:00
|
|
|
- name: 'Moduli: Check for small Diffie-Hellman moduli'
|
|
|
|
|
shell: "grep -c ' 1535 \\| 2047 ' /etc/ssh/moduli || true"
|
|
|
|
|
changed_when: False
|
|
|
|
|
register: ssh_hardening_moduli_small
|
|
|
|
|
|
2021-10-12 07:40:00 +00:00
|
|
|
|
2021-10-11 20:58:09 +00:00
|
|
|
- name: 'Moduli: Remove small Diffie-Hellman moduli'
|
|
|
|
|
shell: "TMPF=$(mktemp) && awk '$5 >= 3071' /etc/ssh/moduli >${TMPF} && mv ${TMPF} /etc/ssh/moduli"
|
|
|
|
|
when: ssh_hardening_moduli_small.stdout|int > 0
|
|
|
|
|
|
2021-10-12 07:40:00 +00:00
|
|
|
|
