99# ===================
1010
1111# Address family should always be limited to the active network configuration.
12- AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
12+ AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
1313# Restrict the following configuration to be limited to this Host.
1414{% for host in ssh_remote_hosts -%}
1515Host {{host}}
@@ -47,13 +47,13 @@ StrictHostKeyChecking ask
4747# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
4848#
4949{% if ssh_client_cbc_required -%}
50- {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
50+ {% if ( ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
5151 Ciphers {{ ssh_ciphers_66_weak | join(',') }}
5252 {% else -%}
5353 Ciphers {{ ssh_ciphers_53_weak | join(',') }}
5454 {% endif %}
5555{% else -%}
56- {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
56+ {% if ( ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
5757 Ciphers {{ ssh_ciphers_66_default | join(',') }}
5858 {% else -%}
5959 Ciphers {{ ssh_ciphers_53_default | join(',') }}
@@ -65,15 +65,15 @@ StrictHostKeyChecking ask
6565# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
6666#
6767{% if ssh_client_weak_hmac -%}
68- {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
68+ {% if ( ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
6969 MACs {{ ssh_macs_66_weak | join(',') }}
7070 {% elif ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version <= '6' -%}
7171 MACs {{ ssh_macs_53_default | join(',') }}
7272 {% else -%}
7373 MACs {{ ssh_macs_59_weak | join(',') }}
7474 {% endif %}
7575{% else -%}
76- {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
76+ {% if ( ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
7777 MACs {{ ssh_macs_66_default | join(',') }}
7878 {% elif ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version <= '6' -%}
7979 MACs {{ ssh_macs_53_default | join(',') }}
@@ -89,7 +89,7 @@ StrictHostKeyChecking ask
8989# Weak kex is sometimes required if older package versions are used
9090# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
9191#
92- {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
92+ {% if ( ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) -%}
9393 {% if ssh_client_weak_kex -%}
9494 KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
9595 {% else -%}
0 commit comments