Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit 3035f7d

Browse files
conorschconorsch
committed
Updates config templates to join list vars
The kex and cipher vars are now proper YAML lists, so use the "join" filter to render them as comma-separated strings, which ssh/sshd expects.
1 parent 9ed16bf commit 3035f7d

File tree

2 files changed

+31
-31
lines changed

2 files changed

+31
-31
lines changed

templates/openssh.conf.j2

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -48,15 +48,15 @@ StrictHostKeyChecking ask
4848
#
4949
{% if ssh_client_cbc_required -%}
5050
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
51-
Ciphers {{ssh_ciphers_66_weak}}
51+
Ciphers {{ ssh_ciphers_66_weak | join(',') }}
5252
{% else -%}
53-
Ciphers {{ssh_ciphers_53_weak}}
53+
Ciphers {{ ssh_ciphers_53_weak | join(',') }}
5454
{% endif %}
5555
{% else -%}
5656
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
57-
Ciphers {{ssh_ciphers_66_default}}
57+
Ciphers {{ ssh_ciphers_66_default | join(',') }}
5858
{% else -%}
59-
Ciphers {{ssh_ciphers_53_default}}
59+
Ciphers {{ ssh_ciphers_53_default | join(',') }}
6060
{% endif %}
6161
{% endif %}
6262

@@ -66,23 +66,23 @@ StrictHostKeyChecking ask
6666
#
6767
{% if ssh_client_weak_hmac -%}
6868
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
69-
MACs {{ssh_macs_66_weak}}
69+
MACs {{ ssh_macs_66_weak | join(',') }}
7070
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
71-
MACs {{ssh_macs_53_default}}
71+
MACs {{ ssh_macs_53_default | join(',') }}
7272
{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
73-
MACs {{ssh_macs_53_default}}
73+
MACs {{ ssh_macs_53_default | join(',') }}
7474
{% else -%}
75-
MACs {{ssh_macs_59_weak}}
75+
MACs {{ ssh_macs_59_weak | join(',') }}
7676
{% endif %}
7777
{% else -%}
7878
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
79-
MACs {{ssh_macs_66_default}}
79+
MACs {{ ssh_macs_66_default | join(',') }}
8080
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
81-
MACs {{ssh_macs_53_default}}
81+
MACs {{ ssh_macs_53_default | join(',') }}
8282
{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
83-
MACs {{ssh_macs_53_default}}
83+
MACs {{ ssh_macs_53_default | join(',') }}
8484
{% else -%}
85-
MACs {{ssh_macs_59_default}}
85+
MACs {{ ssh_macs_59_default | join(',') }}
8686
{% endif %}
8787
{% endif %}
8888

@@ -95,17 +95,17 @@ StrictHostKeyChecking ask
9595
#
9696
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
9797
{% if ssh_client_weak_kex -%}
98-
KexAlgorithms {{ssh_kex_66_weak}}
98+
KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
9999
{% else -%}
100-
KexAlgorithms {{ssh_kex_66_default}}
100+
KexAlgorithms {{ ssh_kex_66_default | join(',') }}
101101
{% endif %}
102102
{% else -%}
103103
{% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
104104
#KexAlgorithms
105105
{% elif ssh_client_weak_kex -%}
106-
KexAlgorithms {{ssh_kex_59_weak}}
106+
KexAlgorithms {{ ssh_kex_59_weak | join(',') }}
107107
{% else -%}
108-
KexAlgorithms {{ssh_kex_59_default}}
108+
KexAlgorithms {{ ssh_kex_59_default | join(',') }}
109109
{% endif %}
110110
{% endif %}
111111

templates/opensshd.conf.j2

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -52,15 +52,15 @@ LogLevel VERBOSE
5252
#
5353
{% if ssh_server_cbc_required -%}
5454
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
55-
Ciphers {{ssh_ciphers_66_weak}}
55+
Ciphers {{ ssh_ciphers_66_weak | join(',') }}
5656
{% else %}
57-
Ciphers {{ssh_ciphers_53_weak}}
57+
Ciphers {{ ssh_ciphers_53_weak | join(',') }}
5858
{% endif %}
5959
{% else -%}
6060
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
61-
Ciphers {{ssh_ciphers_66_default}}
61+
Ciphers {{ ssh_ciphers_66_default | join(',') }}
6262
{% else -%}
63-
Ciphers {{ssh_ciphers_53_default}}
63+
Ciphers {{ ssh_ciphers_53_default | join(',') }}
6464
{% endif %}
6565
{% endif %}
6666

@@ -71,23 +71,23 @@ LogLevel VERBOSE
7171

7272
{% if ssh_server_weak_hmac -%}
7373
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
74-
MACs {{ssh_macs_66_weak}}
74+
MACs {{ ssh_macs_66_weak | join(',') }}
7575
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
76-
MACs {{ssh_macs_53_default}}
76+
MACs {{ ssh_macs_53_default | join(',') }}
7777
{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
78-
MACs {{ssh_macs_53_default}}
78+
MACs {{ ssh_macs_53_default | join(',') }}
7979
{% else -%}
80-
MACs {{ssh_macs_59_weak}}
80+
MACs {{ ssh_macs_59_weak | join(',') }}
8181
{% endif %}
8282
{% else -%}
8383
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
84-
MACs {{ssh_macs_66_default}}
84+
MACs {{ ssh_macs_66_default | join(',') }}
8585
{% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
86-
MACs {{ssh_macs_53_default}}
86+
MACs {{ ssh_macs_53_default | join(',') }}
8787
{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
88-
MACs {{ssh_macs_53_default}}
88+
MACs {{ ssh_macs_53_default | join(',') }}
8989
{% else -%}
90-
MACs {{ssh_macs_59_default}}
90+
MACs {{ ssh_macs_59_default | join(',') }}
9191
{% endif %}
9292
{% endif %}
9393

@@ -100,15 +100,15 @@ LogLevel VERBOSE
100100
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
101101
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
102102
{% if ssh_client_weak_kex -%}
103-
KexAlgorithms {{ssh_kex_66_weak}}
103+
KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
104104
{% else -%}
105-
KexAlgorithms {{ssh_kex_66_default}}
105+
KexAlgorithms {{ ssh_kex_66_default | join(',') }}
106106
{% endif %}
107107
{% else -%}
108108
{% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
109109
#KexAlgorithms
110110
{% else -%}
111-
KexAlgorithms {{ssh_kex_59_default}}
111+
KexAlgorithms {{ ssh_kex_59_default | join(',') }}
112112
{% endif %}
113113
{% endif %}
114114

0 commit comments

Comments
 (0)