Disable RSA for old SSH versions

closes #10

tasks/main.yml

@@ -41,14 +41,12 @@
 
 ####################
 
-- name: "Hostkeys: Disable (EC)DSA"
+- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
   lineinfile:
     dest: "{{ ssh_hardening_sshd_config }}"
     regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
     state: absent
-  loop:
-    - dsa
-    - ecdsa
+  loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
   notify: Restart SSH
 
 

vars/os_ubuntu-14.yml

@@ -1,4 +0,0 @@
----
-ssh_hardening_hostkeys:
-  - ed25519
-

vars/ssh_6.6.yml

@@ -1,6 +1,9 @@
 # 6.6: Ubuntu 14
 # 7.2: Ubuntu 16
 
+ssh_hardening_hostkeys:
+  - ed25519
+
 ssh_hardening_opts:
   KexAlgorithms:
     - curve25519-sha256@libssh.org

vars/ssh_7.4.yml

@@ -1,6 +1,9 @@
 # 7.4: Debian 9
 # 7.4: RedHat/CentOS 7
 
+ssh_hardening_hostkeys:
+  - ed25519
+
 ssh_hardening_opts:
   KexAlgorithms:
     - curve25519-sha256

vars/ssh_8.2.yml

@@ -1,4 +1,4 @@
-# 8.2: Ubuntu 10
+# 8.2: Ubuntu 20.04
 # 8.4: Debian 11 & Suse 15.3
 # 8.6: Fedora 34 (no diff in *hardened policy* to 8.4)
 # 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)