@@ -45,68 +45,34 @@ CheckHostIP yes
4545# Always ask before adding keys to the `known_hosts` file. Do not set to `yes`.
4646StrictHostKeyChecking ask
4747
48+
4849# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
4950# CBC: is true if you want to connect with OpenSSL-base libraries
5051# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
5152# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
5253#
53- {% if ssh_client_cbc_required -%}
54- {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) or (ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version >= '7' ) or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11' ) -%}
55- Ciphers {{ ssh_ciphers_66_weak | join(',') }}
56- {% else -%}
57- Ciphers {{ ssh_ciphers_53_weak | join(',') }}
58- {% endif %}
59- {% else -%}
60- {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) or (ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version >= '7' ) or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11' ) -%}
61- Ciphers {{ ssh_ciphers_66_default | join(',') }}
62- {% else -%}
63- Ciphers {{ ssh_ciphers_53_default | join(',') }}
64- {% endif %}
65- {% endif %}
54+
55+ {# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #}
56+ {{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }}
6657
6758# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
6859# Weak HMAC is sometimes required if older package versions are used
6960# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
7061#
71- {% if ssh_client_weak_hmac -%}
72- {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) or (ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version >= '7' ) or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11' ) -%}
73- MACs {{ ssh_macs_66_weak | join(',') }}
74- {% elif ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version <= '6' -%}
75- MACs {{ ssh_macs_53_default | join(',') }}
76- {% endif %}
77- {% else -%}
78- {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) or (ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version >= '7' ) or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11' ) -%}
79- MACs {{ ssh_macs_66_default | join(',') }}
80- {% elif ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version <= '6' -%}
81- MACs {{ ssh_macs_53_default | join(',') }}
82- {% else -%}
83- MACs {{ ssh_macs_59_default | join(',') }}
84- {% endif %}
85- {% endif %}
62+
63+ {# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #}
64+ {{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }}
8665
8766# Alternative setting, if OpenSSH version is below v5.9
8867#MACs hmac-ripemd160
8968
9069# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
9170# Weak kex is sometimes required if older package versions are used
9271# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
93- #
94- {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' ) or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8' ) or (ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version >= '7' ) or (ansible_distribution == 'FreeBSD' and ansible_distribution_version >= '11' ) -%}
95- {% if ssh_client_weak_kex -%}
96- KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
97- {% else -%}
98- KexAlgorithms {{ ssh_kex_66_default | join(',') }}
99- {% endif %}
100- {% else -%}
101- {% if ansible_os_family in ['Oracle Linux' , 'RedHat' ] and ansible_distribution_major_version <= '6' -%}
102- #KexAlgorithms
103- {% elif ssh_client_weak_kex -%}
104- KexAlgorithms {{ ssh_kex_59_weak | join(',') }}
105- {% else -%}
106- KexAlgorithms {{ ssh_kex_59_default | join(',') }}
107- {% endif %}
108- {% endif %}
72+ # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
10973
74+ {# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #}
75+ {{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }}
11076
11177# Disable agent forwarding, since local agent could be accessed through forwarded connection.
11278ForwardAgent no
0 commit comments