--- # file: roles/openssh-server/tasks/main.yml - name: "install openssh-server" apt: name: openssh-server install_recommends: false tags: ssh - name: "gather the list of installed package" package_facts: tags: ssh - name: "get openssh-server version" set_fact: sshd_version: "{{ ansible_facts.packages['openssh-server'][0]['version'][2:5] }}" tags: ssh - name: "display current openssh version" debug: msg: "openssh-server version is {{ sshd_version }}" tags: ssh - name: "immediate fail for unsupported version of openssh" fail: msg: "Compatibility with target host is unsupported or not verified for this role." when: sshd_version is version('10.0', '>') tags: ssh - name: "set kex for version < 8.0" set_fact: sshd_KexAlgorithms: '{{ sshd_kex_version_minimum_67 }}' when: sshd_version is version('8.0', '<') tags: ssh - name: "set kex for version between 8.0 and 8.4" set_fact: sshd_KexAlgorithms: '{{ sshd_kex_version_80_to_84 }}' when: - sshd_version is version('8.0', '>=') - sshd_version is version('8.5', '<') tags: ssh - name: "set kex for version between 8.5 and 9.9" set_fact: sshd_KexAlgorithms: '{{ sshd_kex_version_85_to_99 }}' when: - sshd_version is version('8.5', '>=') - sshd_version is version('9.9', '<=') tags: ssh - name: "set kex for version 10.0" set_fact: sshd_KexAlgorithms: '{{ sshd_kex_version_100 }}' when: - sshd_version is version('9.9', '>=') - sshd_version is version('10.0', '<=') tags: ssh - name: "/etc/ssh/revoked_keys" template: src: "revoked_keys.j2" dest: "/etc/ssh/revoked_keys" mode: "0600" owner: "root" group: "root" backup: yes when: sshd_RevokedKeys_list is defined notify: restart sshd tags: ssh - name: "/etc/ssh/sshd_config" template: src: "opensshd.conf.j2" dest: "/etc/ssh/sshd_config" mode: "0600" owner: "root" group: "root" validate: "/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s" backup: yes notify: restart sshd tags: ssh