Setting HostKeyAlgorithms with notify

delphix · Oct 26, 2023 · d1ddc6d · d1ddc6d
1 parent 3c2a766
commit d1ddc6d
Showing 1 changed file with 27 additions and 4 deletions.
diff --git a/...ar/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/...ar/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
@@ -246,10 +246,6 @@
     - { key: "AllowStreamLocalForwarding", value: "no" }
     - { key: "AllowTcpForwarding", value: "no" }
     - { key: "X11Forwarding", value: "no" }
-    #
-    # Configure SSH to exclude the 'ssh-rsa' algorithm from HostKeyAlgorithms
-    #
-    - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" }
 
 #
 # The CRA project mandated a 30 minute timeout for any idle connections.
@@ -363,6 +359,33 @@
   notify: "sshd config changed"
   when: grep_sshd_config_macs_to_remove.stdout == "0"
 
+#
+# Configure SSH to exclude the 'ssh-rsa' algorithm from HostKeyAlgorithms
+#
+# If the configuration is not present, add HostKeyAlgorithms "-ssh-rsa*",
+# and if HostKeyAlgorithms doesn't already have it, append "-ssh-rsa*"
+#
+- shell: grep -c -E "^HostKeyAlgorithms(\s+)" /etc/ssh/sshd_config || true
+  register: grep_hostkeyalgorithms_sshd_config
+
+- shell: grep -c -E "^HostKeyAlgorithms(\s+)(.*)-ssh-rsa\*" /etc/ssh/sshd_config || true
+  register: grep_hostkeyalgorithms_sshd_config_for_sshrsa
+
+- lineinfile:
+    path: /etc/ssh/sshd_config
+    backrefs: yes
+    regexp: '^HostKeyAlgorithms[\s]+-(.*)$'
+    line: 'HostKeyAlgorithms -\1,-ssh-rsa*'
+  notify: "sshd config changed"
+  when: grep_hostkeyalgorithms_sshd_config.stdout != "0" and grep_hostkeyalgorithms_sshd_config_for_sshrsa == "0"
+
+- lineinfile:
+    path: /etc/ssh/sshd_config
+    insertafter: EOF
+    line: "HostKeyAlgorithms -ssh-rsa*"
+  notify: "sshd config changed"
+  when: grep_hostkeyalgorithms_sshd_config.stdout == "0"
+
 #
 # Enable SNMP client tools to load MIBs by default.
 #