Merge pull request #99 from dev-sec/hostkey

Use different Hostkeys according to installed ssh version
dev-sec · Mar 9, 2017 · 44a7bbb · 44a7bbb
2 parents 4f67096 + 90ab775
commit 44a7bbb
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 11 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -66,10 +66,10 @@ platforms:
   driver:
     image: rndmh3ro/docker-debian8-ansible:latest
     platform: debian
-- name: debian9-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian9-ansible:latest
-    platform: debian
+#- name: debian9-ansible-latest
+#  driver:
+#    image: rndmh3ro/docker-debian9-ansible:latest
+#    platform: debian
 
 verifier:
   name: inspec
@@ -78,4 +78,4 @@ verifier:
     - https://github.com/dev-sec/ssh-baseline
 
 suites:
-- name: ssh
+- name: ssh
diff --git a/.travis.yml b/.travis.yml
@@ -42,10 +42,10 @@ env:
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     init: /sbin/init
 
-  - distro: debian9
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+#  - distro: debian9
+#    version: latest
+#    init: /lib/systemd/systemd
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
 
 before_install:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,6 +1,31 @@
 ---
-- name: add the OS specific variables
-  include_vars: "{{ ansible_os_family }}.yml"
+- name: Set OS dependent variables
+  include_vars: "{{ item }}"
+  with_first_found:
+   - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_distribution }}.yml"
+   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_os_family }}.yml"
+
+- name: get openssh-version
+  shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
+  changed_when: false
+  register: sshd_version
+
+- name: set hostkeys according to openssh-version
+  set_fact:
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
+  when: sshd_version.stdout >= '5.3'
+
+- name: set hostkeys according to openssh-version
+  set_fact:
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
+  when: sshd_version.stdout >= '6.0'
+
+- name: set hostkeys according to openssh-version
+  set_fact:
+    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
+  when: sshd_version.stdout >= '6.3'
 
 - name: create sshd_config and set permissions to root/600
   template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner=root group=root validate="/usr/sbin/sshd -T -f %s"