From e7263e41e6b69ec518b957c5f364a488be332857 Mon Sep 17 00:00:00 2001
From: Fernando <fernando.alcocer.ochoa@ibm.com>
Date: Fri, 12 Sep 2025 10:01:36 -0600
Subject: [PATCH] Add an extra module to disable SHA1 MACs on ssh config and
 mitigate a vulnerability.

Signed-off-by: Fernando <fernando.alcocer.ochoa@ibm.com>
---
 roles/public_facing/tasks/main.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles/public_facing/tasks/main.yml b/roles/public_facing/tasks/main.yml
index 67639a9f..fecaf5b5 100644
--- a/roles/public_facing/tasks/main.yml
+++ b/roles/public_facing/tasks/main.yml
@@ -20,6 +20,17 @@
     line: "PasswordAuthentication no"
     state: present
   notify: restart sshd
+  tags: ssh_config
+
+- name: Remove SHA1 MACs from ssh config
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^MACs"
+    line: "MACs hmac-sha2-512,hmac-sha2-256"
+    insertafter: EOF
+    state: present
+  notify: restart sshd 
+  tags: ssh_config 
 
 ## Individual host tasks
 
-- 
2.47.3