Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit 9ed16bf

Browse files
conorschconorsch
committed
Converts ssh ciphers and kex vars to lists
The vars represent information that is best understood as a list, and therefore should be stored as a list, and interpolated as a comma-separated string only at the presentation layer, when rendering the template. Storing the vars as lists is eminently more readable, which encourages a deeper understanding of this role, and of the SSH service in general.
1 parent d1c941f commit 9ed16bf

File tree

1 file changed

+49
-16
lines changed

1 file changed

+49
-16
lines changed

vars/main.yml

Lines changed: 49 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,55 @@
11
ssh_ps53: 'yes'
22
ssh_ps59: 'sandbox'
33

4-
ssh_macs_53_default: 'hmac-ripemd160,hmac-sha1'
5-
ssh_macs_59_default: 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
6-
ssh_macs_59_weak: '{{ssh_macs_59_default + ",hmac-sha1"}}'
7-
ssh_macs_66_default: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
8-
ssh_macs_66_weak: '{{ssh_macs_66_default + ",hmac-sha1"}}'
9-
10-
ssh_ciphers_53_default: 'aes256-ctr,aes192-ctr,aes128-ctr'
11-
ssh_ciphers_53_weak: '{{ssh_ciphers_53_default + ",aes256-cbc,aes192-cbc,aes128-cbc"}}'
12-
13-
ssh_ciphers_66_default: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
14-
ssh_ciphers_66_weak: '{{ssh_ciphers_66_default + ",aes256-cbc,aes192-cbc,aes128-cbc"}}'
15-
16-
ssh_kex_59_default: 'diffie-hellman-group-exchange-sha256'
17-
ssh_kex_59_weak: '{{ssh_kex_59_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'
18-
ssh_kex_66_default: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
19-
ssh_kex_66_weak: '{{ssh_kex_66_default + ",diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"}}'
4+
ssh_macs_53_default:
5+
- hmac-ripemd160
6+
- hmac-sha1
7+
8+
ssh_macs_59_default:
9+
- hmac-sha2-512
10+
- hmac-sha2-256
11+
- hmac-ripemd160
12+
13+
ssh_macs_59_weak: "{{ ssh_macs_59_default + ['hmac-sha1'] }}"
14+
15+
ssh_macs_66_default:
16+
- hmac-sha2-512-etm@openssh.com
17+
- hmac-sha2-256-etm@openssh.com
18+
- hmac-ripemd160-etm@openssh.com
19+
- umac-128-etm@openssh.com
20+
- hmac-sha2-512
21+
- hmac-sha2-256
22+
- hmac-ripemd160
23+
24+
ssh_macs_66_weak: "{{ ssh_macs_66_default + ['hmac-sha1'] }}"
25+
26+
ssh_ciphers_53_default:
27+
- aes256-ctr
28+
- aes192-ctr
29+
- aes128-ctr
30+
31+
ssh_ciphers_53_weak: "{{ ssh_ciphers_53_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
32+
33+
ssh_ciphers_66_default:
34+
- chacha20-poly1305@openssh.comi
35+
- aes256-gcm@openssh.com
36+
- aes128-gcm@openssh.com
37+
- aes256-ctr
38+
- aes192-ctr
39+
- aes128-ctr
40+
41+
ssh_ciphers_66_weak: "{{ ssh_ciphers_66_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
42+
43+
ssh_kex_59_default:
44+
- diffie-hellman-group-exchange-sha256
45+
46+
ssh_kex_59_weak: "{{ ssh_kex_59_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
47+
48+
ssh_kex_66_default:
49+
- curve25519-sha256@libssh.org
50+
- diffie-hellman-group-exchange-sha256
51+
52+
ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
2053

2154
# directory where to store ssh_password policy
2255
ssh_custom_selinux_dir: '/etc/selinux/local-policies'

0 commit comments

Comments
 (0)