From: Fernando <fernando.alcocer.ochoa@ibm.com>
Date: Fri, 12 Sep 2025 16:01:36 +0000 (-0600)
Subject: Add an extra module to disable SHA1 MACs on ssh config and mitigate a vulnerability.
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F787%2Fhead;p=ceph-cm-ansible.git

Add an extra module to disable SHA1 MACs on ssh config and mitigate a vulnerability.

Signed-off-by: Fernando <fernando.alcocer.ochoa@ibm.com>
---

diff --git a/roles/public_facing/tasks/main.yml b/roles/public_facing/tasks/main.yml
index 67639a9f..fecaf5b5 100644
--- a/roles/public_facing/tasks/main.yml
+++ b/roles/public_facing/tasks/main.yml
@@ -20,6 +20,17 @@
     line: "PasswordAuthentication no"
     state: present
   notify: restart sshd
+  tags: ssh_config
+
+- name: Remove SHA1 MACs from ssh config
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^MACs"
+    line: "MACs hmac-sha2-512,hmac-sha2-256"
+    insertafter: EOF
+    state: present
+  notify: restart sshd 
+  tags: ssh_config 
 
 ## Individual host tasks