Add an extra module to disable SHA1 MACs on ssh config and mitigate a vulnerability.

author Fernando <fernando.alcocer.ochoa@ibm.com>

Fri, 12 Sep 2025 16:01:36 +0000 (10:01 -0600)

committer Fernando <fernando.alcocer.ochoa@ibm.com>

Fri, 12 Sep 2025 16:01:36 +0000 (10:01 -0600)
author Fernando <fernando.alcocer.ochoa@ibm.com>
Fri, 12 Sep 2025 16:01:36 +0000 (10:01 -0600)
committer Fernando <fernando.alcocer.ochoa@ibm.com>
Fri, 12 Sep 2025 16:01:36 +0000 (10:01 -0600)
diff --git a/roles/public_facing/tasks/main.yml b/roles/public_facing/tasks/main.yml

index 67639a9fe89a0ca238440e6cf85bbf846f91614f..fecaf5b5929714003faa39958bb4482157e4e01c 100644 (file)
--- a/roles/public_facing/tasks/main.yml
+++ b/roles/public_facing/tasks/main.yml
@@ -20,6 +20,17 @@
      line: "PasswordAuthentication no"
      state: present
    notify: restart sshd
+  tags: ssh_config
+
+- name: Remove SHA1 MACs from ssh config
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^MACs"
+    line: "MACs hmac-sha2-512,hmac-sha2-256"
+    insertafter: EOF
+    state: present
+  notify: restart sshd 
+  tags: ssh_config 
  
  ## Individual host tasks
author	Fernando <fernando.alcocer.ochoa@ibm.com>
	Fri, 12 Sep 2025 16:01:36 +0000 (10:01 -0600)
committer	Fernando <fernando.alcocer.ochoa@ibm.com>
	Fri, 12 Sep 2025 16:01:36 +0000 (10:01 -0600)